CN100595748C - Electronic value authentication method, authentication system and device - Google Patents

Abstract

An authentication system providing a safety authentication process of electronic values with the use of mobile terminals which do not have a tamperresistant function. The electronic value including encrypted value authentication information (F(VPW)), wherein an authentication information (VPW) corresponding to an electronic value specified by a user is acquired by the hash calculation, is stored in user's mobile terminal. In the user authentication process; authentication apparatus generates a random number R and transmits it to mobile terminal, mobile terminal generates value authentication information (F(VPW')) from authentication information (VPW') corresponding to electronic value input by user, further executes a hash calculation on data wherein value authentication information (F(VPW')) and the random number R are concatenated, generates authentication information (F(VPW') PARALLEL R), transmits it to the authentication apparatus with the electronic value, authentication apparatus decrypts the received electronic value, extracts the value authentication information (F(VPW)) from the electronic value, executes the hash calculation on data wherein value authentication information (F(VPW)) and the random number R are concatenated, generates the authentication information (F(VPW) PARALLEL R), and collates the received authentication information (F(VPW') PARALLEL R) with the authentication information (F(VPW) PARALLEL R), so that the user is authenticated.

Description

The authentication method of electronic values, Verification System and device

Technical field

The present invention relates to a kind of authentication method, Verification System and device of electronic values, electronic values (value) behind the electronic informations such as credit card or access (debit card), membership card, ID card, bill is stored in user's portable terminal device, by authenticated is their the proper owner, provide each self-corresponding article or service to the user, in this service, even portable terminal device is the terminal that does not have anti-tamper (tamper) function, also can carry out safe user authentication process.

Background technology

In the prior art, as carrying out the method that safety certification is handled, the method that has use to authenticate me based on the method for the digital electronic signature of public key encryption mode or the ID by contrasting prior login and password.For example, be applicable in the method that will use digital electronic signature under the situation of portable phone, the IC-card module that will have anti-tamper function is loaded in the portable phone, and in advance the key of the private key of storage public key encryption mode and public-key cryptography is right in this IC-card module, for example, under the situation of credit card, to use the permit of the credit card of public-key cryptography to be stored in the portable phone, when utilizing credit card, the IC-card module is used private key to carry out digital electronic signature and is handled, the authentication side uses the permit of credit card to verify this digital electronic signature, carries out authentification of user thus.On the other hand, when using the method for ID and password, though needn't in portable phone, load IC-card module with anti-tamper function, for ID and the password that contrasts prior login, the database of essential ID of authentication side and password.(for example opening the 2001-265735 communique) with reference to the spy.

But, when using the method for digital electronic signature in the prior art, must load the IC-card module that possesses anti-tamper function, the problem that exists the terminal cost to rise at portable phone or portable terminal device.In addition, when using the method for ID and password, the database of essential ID of authentication side and password, for example, in order to be applicable to the authenticate himself of credit card payment etc., must following method: at the credit settlement terminal that is arranged at each shop allied the ID of credit card member and the database of password are set, or on network, form the center of database, all visit the center at every turn when carrying out authenticate himself with ID and password.Under the former situation, there is the problem on the safety in the database that ID and password is set at the credit settlement terminal of each shop allied, and is physically also unrealistic.In addition, in the latter case, the essential authenticate himself that newly makes up in addition, all need be visited the center when carrying out authenticate himself with the network between center and each credit settlement terminal at every turn, can not expect the problem of processing rapidly so exist.

Summary of the invention

The present invention can solve above-mentioned existing issue, even being to provide a kind of, its purpose do not have the portable terminal device of anti-tamper function can carry out authentication processing at a high speed safely yet, authentication mode applicable to credit card payment or member's authenticate himself, ticket checking etc., and the various systems of this authentication mode of application, in addition, provide a kind of device of realizing this system.

Therefore, to achieve these goals, in authentication method of the present invention, keep electronic values in user-side device, described electronic values has comprised first of encrypted state and has been worth authentication information, first is worth authentication information has implemented first irreversible operation processing to the appointed authentication information of electronic values, to the user is in the processing that authenticates of the proper holder of described electronic values, after generating random number, authentication side device sends to user-side device, user-side device is implemented first irreversible operation to the input authentication information of the electronic values that the user is imported and is handled, generate second and be worth authentication information, and described second data that are worth authentication information and the combination of described random number are implemented second irreversible operation handle, generate second authentication information, described electronic values and described second authentication information are sent to authentication side device, the password of the electronic values that described authentication side device deciphering receives, from electronic values, take out first and be worth authentication information, described first data that are worth authentication information and the combination of described random number are implemented second irreversible operation to be handled, generate first authentication information, verify that described second authentication information that receives is consistent with first authentication information of described generation, come authenticated.

In addition, in authentication mode of the present invention, at the decruption key of the encryption section of electronic values is to implement first decruption key that first data after the 3rd irreversible operation is handled and master key are generated by being worth authentication information to first, authenticated is in proper holder's the processing of described electronic values, user-side device also is worth authentication information to described second and implements the 3rd irreversible operation processing, generate second data, with described electronic values and described second authentication information described second data are sent to authentication side device, authentication side device generates second decruption key according to second data and the master key that receive, deciphers the password of the electronic values that receives with described second decruption key.

In addition, the invention provides a kind of user-side device, to authentication side device request authentification of user, it is characterized in that: possess: the electronic values obtaining section, obtain electronic values, comprised the first value authentication information of appointed authentication information having been implemented first irreversible operation processing with encrypted state in the described electronic values, be worth the authentication information generating unit, the input authentication information of the described electronic values of user input is implemented first irreversible operation to be handled, generate second and be worth authentication information, the authentication information generating unit, be worth authentication information to described second and implement second irreversible operation processing with the data of the random number combination that receives from authentication side device, generate second authentication information, sending part sends to authentication side device with the described electronic values and second authentication information.

In addition, described user-side device provided by the invention, it is characterized in that: the decruption key of the encryption section of described electronic values is to implement first decruption key that first data after the 3rd irreversible operation is handled and master key are generated by being worth authentication information to first, described user-side device also possesses: the second data generating unit, be worth authentication information to described second and implement the 3rd irreversible operation processing, generate second data, described sending part together sends to authentication side device with second data and described electronic values, described second authentication information.

In addition, a kind of authentication side device provided by the invention, carry out the user's of user-side device authentification of user, it is characterized in that, possess: the random number sending part, send to described user-side device after generating random number, acceptance division, receive the electronic values and second authentication information from described user-side device, described electronic values includes with the state of encrypting has implemented the first value authentication information that first irreversible operation is handled to appointed authentication information, described second authentication information applies first irreversible operation by the input authentication information to described user input and handles second being worth the combined data of authentication information and described random number and implementing second irreversible operation and handle generation of generating, be worth the authentication information leading-out portion, the password of the encryption section of the described electronic values that deciphering receives, from electronic values, take out first and be worth authentication information, the first authentication information generating unit, data after described first value authentication information and the combination of described random number are implemented second irreversible operation, generate first authentication information, proof department, described second authentication information that checking receives is consistent with described first authentication information of generation, authenticated.

In addition, at described authentication side device provided by the invention, it is characterized in that: also possess the decruption key generating unit, the decruption key of the encryption section of described electronic values is to have implemented first decruption key that first data after the 3rd irreversible operation is handled and master key are generated by being worth authentication information to first, described acceptance division also receives from described user-side device and is worth second data that authentication information has been implemented the 3rd irreversible operation processing generation to second, by described second data and the master key that receive, generate second decruption key, described value authentication information leading-out portion is deciphered the password of the electronic values that receives with described second decruption key that generates.

In addition, the invention provides a kind of electronic values distribution device, receive the electronic values distribution request message of request distribution electronic values and described user-side device is issued electronic values from user-side device, it is characterized in that, possess: acceptance division, reception comprises the electronic values distribution request message to the appointed authentication information of the electronic values of user's appointment of user-side device, be worth the authentication information generating unit, the appointed authentication information of the described electronic values that receives is implemented first irreversible operation to be handled, the generating value authentication information, the encryption key generating unit, according to the data and master key generation encryption key the described value authentication information that generates implemented after second irreversible operation is handled, the electronic values generating unit, use the encryption key that generates, generation comprise described value authentication information encryption the electronic values of information, sending part sends to described user-side device with the electronic values that generates.

In addition, the present invention also provides a kind of electronic values distribution device, receive the electronic values distribution request message of request distribution electronic values and described user-side device is issued electronic values from user-side device, it is characterized in that, possess: acceptance division, reception comprises the electronic values distribution request message that the appointed authentication information of the electronic values of user's appointment of user-side device is applied the value authentication information of first irreversible operation processing, the encryption key generating unit, according to the data and master key generation encryption key the described value authentication information that generates implemented after second irreversible operation is handled, the electronic values generating unit, use the described encryption key that generates, the electronic values of the information that generation has comprised described value encrypted authentication information, sending part sends to described user-side device with the electronic values that generates.

In addition, the invention provides a kind of locking device, the electronic key that receives the distribution of request electronic key information from user-side device is issued request message and described user-side device is issued electronic key information, it is characterized in that: have: electronic key distribution request acceptance division, reception comprises the electronic key distribution request message that first after the appointed authentication information of the electronic key information of user's appointment of user-side device implemented first irreversible operation and handle is worth authentication information, the encryption key generating unit, according to described first data and the master key generation encryption key that is worth after authentication information has been implemented the 3rd irreversible operation processing to receiving, the electronic key generating unit, use the electronic key of described generation, generation comprise with described first be worth encrypted authentication information the electronic key information of information, sending part, the electronic key information that generates is sent to described user-side device, the random number sending part, when the authentication of electronic key information, send to described user-side device after generating random number, acceptance division, receive second authentication information from described user-side device, be worth authentication information to second and implement second data that generation is handled in the 3rd irreversible operation, and electronic key, described second authentication information is handled second being worth authentication information and the combined data of random number and implementing second irreversible operation and handle and generate of being generated by the input authentication information that the user imported of described user-side device being implemented first irreversible operation, the decruption key generating unit, according to second data and master key generating solution decryption key, be worth the authentication information leading-out portion, use the decruption key of described generation, the password of the encryption section of the described electronic key information that deciphering receives, from electronic key information, take out first and be worth authentication information, the first authentication information generating unit, the combined data of described first hand value authentication information and described random number are implemented second irreversible operation to be handled, generate first authentication information, proof department, described second authentication information that checking receives is consistent with described first authentication information of generation, authentication electronic key information, latch mechanism portion, the switching of locking under by the authentic situation of described proof department in electronic key information.

In addition, in authentication mode of the present invention, the publisher of electronic values implements digital electronic signature to electronic values, is in proper holder's the processing of described electronic values in authenticated, the digital electronic signature that the checking of authentication side is implemented the electronic values of clear crytpographic key.According to this authentication mode, can prevent to forge electronic values, and can improve the security of authentication processing.

According to this authentication mode, because the encryption key of encrypted electronic value is all different to each electronic values, so even hypothesis has been deciphered the password of an electronic values, but because do not influence other electronic values, so still can improve security.

According to this authentication mode, needn't not want anti-tamper function at secret informations such as user side storage encryption keys yet, but can be authentication side safety certification user.

According to this Verification System, needn't also needn't load anti-tamper function at secret informations such as portable terminal device storage encryption keys, but can be by authenticate device safety certification user.

According to this Verification System, because the encryption key of encrypted electronic value is all different to each electronic values, so even hypothesis has been deciphered the password of an electronic values, but because do not influence other electronic values, so still can improve security.

According to this Verification System, can prevent to forge electronic values, and can improve the security of authentication processing.

According to this Verification System, can issue the service of various electronic values to portable terminal device.

The electronic values authentication mode of the application of the invention, Verification System and constitute the device of Verification System can utilize the portable terminal device of no anti-tamper function, carry out safe authentication processing.

In addition, electronic credit can be downloaded to portable phone for electronic values, carry out safe credit settlement with portable phone, the user needn't carry credit card, can improve convenience.

In addition, the user can download to portable phone with multiple electronic credit, therefrom select electronic credit and use, in addition, credit settlement terminal can be corresponding to multiple credit card and a plurality of assignee (ア Network Off イ ア ラ), and is pocket, so salesman's portability credit settlement terminal of shop allied such as snacks shop or shop, restaurant for example, guest (user) is waited for, can settle accounts at prostitution scenes such as sales counter or places.

In addition, electronic bill can be downloaded to portable phone as electronic values, the ticket checking of using portable phone to carry out electronic bill is handled, and the user needn't arrive particular place in order to obtain bill, or obtains by posting, and convenience improves.

In addition, electronic key is downloaded to portable phone as electronic values, can use portable phone to open or close locking device, in addition, because the key transfer of physics does not take place, so the user will key get the place of managing keys, in addition, management-side also needn't be provided with carries out the undertaker that key is transferred the possession of, and can realize professional efficient activity.

In addition, according to user management, can in addition, can carry out the ineffective treatment of electronic key to the electronic key of a plurality of portable phone distribution locking devices.In existing key, losing key or do not returning under the situation of assistant key, for safety, necessary exchange locking device, but according to this electronic key system, even lose the portable phone of store electrons key or do not return the electronic key of the portable phone that is issued to friend, still can improve user convenience at locking device side ineffective treatment electronic key.

Description of drawings

Fig. 1 is the process flow diagram of the electronic credit download process in the invention process form 5.

Fig. 2 is the process flow diagram of the electronic credit settlement process in the invention process form 5.

Fig. 3 is the mode chart of the electronic credit data structure in the expression the invention process form 5.

Fig. 4 is the block diagram of the electronic credit settlement system in the invention process form 6.

Fig. 5 is the block diagram of the credit settlement terminal in the invention process form 6.

Fig. 6 is the mode chart of canned data in the flash memory portion of the security card in the expression the invention process form 6.

Fig. 7 is the mode chart of the information of the wallet application program management of the middle storage of storer (nonvolatile memory) of portable phone in the expression the invention process form 6.

Fig. 8 is the mode chart of the data structure of the electronic credit in the expression the invention process form 6.

Fig. 9 is the process flow diagram of the electronic credit download process in the invention process form 6.

Figure 10 is the process flow diagram of the electronic credit settlement process in the invention process form 6.

Figure 11 is the process flow diagram of the electronic bill settlement process in the invention process form 6.

Figure 12 is the block diagram of the electronic billing system in the invention process form 7.

Figure 13 is the block diagram of the ticket-checked device in the invention process form 7.

Figure 14 is the mode chart of canned data in the security module flash portion that represents in the invention process form 7.

Figure 15 is the mode chart of the information of the wallet application program management of storage in the storer (nonvolatile memory) of the portable phone in the expression the invention process form 7.

Figure 16 is the mode chart of the electronic bill data structure in the expression the invention process form 7.

Figure 17 is the process flow diagram of the electronic bill download process in the invention process form 7.

Figure 18 is the process flow diagram that the electronic bill ticket checking in the invention process form 7 is handled.

Figure 19 is the process flow diagram that the electronic bill ticket checking in the invention process form 7 is handled.

Figure 20 is the block diagram of the electronic key system in the invention process form 8 and the example 9.

Figure 21 is the block diagram of the locking device in the invention process form 8 and the example 9.

Figure 22 is the mode chart of the information of the wallet application program management of storage in the storer (nonvolatile memory) of the portable phone in expression the invention process form 8 and the example 9.

Figure 23 is the mode chart of the data structure of the electronic key in expression the invention process form 8 and the example 9.

Figure 24 is the process flow diagram of the download process of the electronic key in the invention process form 8.

Figure 25 is the process flow diagram of the electronic key authentication processing in the invention process form 8.

Figure 26 is the mode chart of canned data among the EEPROM of the security module in the expression the invention process form 9.

Figure 27 is the process flow diagram of the wallet application program download process in the invention process form 9.

Figure 28 is the process flow diagram that the electronic key distribution in the invention process form 9 is handled.

Figure 29 is the process flow diagram of the electronic key authentication processing in the invention process form 9.

Figure 30 is the block diagram of the electronic credit settlement system in the invention process form 5.

Figure 31 is the figure of expression summary of the present invention.

Figure 32 is the precedence diagram of the processing of authentication request device and authenticate device.

Figure 33 is the illustration whether first information, second information, the first information and second information of encryption exists the Rule of judgment of prescribed relationship.

Figure 34 is the functional block diagram of the authentication request device of the invention process form 1.

Figure 35 is an illustration of the first information of encryption.

Figure 36 is the functional block diagram of the authenticate device of the invention process form 1.

Figure 37 is the processing flow chart of the invention process form 1.

Figure 38 is the functional block diagram of the authentication request device of the invention process form 2.

Figure 39 is the functional block diagram of the authentication request device of the invention process form 3.

Figure 40 is the processing flow chart of the invention process form 3.

Figure 41 is the functional block diagram of the associating information device of the invention process form 4.

Figure 42 is the processing flow chart of the associating information device of the invention process form 4.

Figure 43 is an illustration of embodiments of the invention.

Figure 44 is the figure of the relation of each data among expression Figure 43.

Embodiment

Below, with reference to accompanying drawing example of the present invention is described.The invention is not restricted to these embodiment, in the scope that does not break away from spirit of the present invention, can carry out the enforcement of variety of way.

(summary of the present invention)

Figure 31 is an expression synoptic diagram of the present invention.In the present invention, authentication request device 3101 authenticates by authenticate device.At this moment, send authentication information from authentication request device 3101 to authenticate device 3102.

In authentication method of the present invention, on the principle, from authentication request device 3101 before authenticate device 3102 sends its information, needn't be from authenticate device 3102 to authentication request device 3101 transmission information.But, synchronous in order between authentication request device 3101 and authenticate device 3102, to obtain, or avoid pretending to be etc., also can be from authenticate device 3102 to authentication request device 3101 transmission information.

The precedence diagram of the processing of Figure 32 example authentication request device 3101 and authenticate device 3102.At first, at step S3201, the authentication request device sends the first information and second information of encrypting to authenticate device.Receive the first information of encryption and the authenticate device of second information and judge in step S3202 whether the first information of encryption and the relation of second information are prescribed relationship.If prescribed relationship is then authenticated the authentication request device by authenticate device.As a result, for example, the user of authentication request device is carried out settlement process, allow to enter particular place, or unblocking key etc.

Here, so-called [first information of encryption] is with the information of the first information that can be encrypted by the encrypted form that the decruption key that authenticate device keeps is deciphered or comprises the information of this information.The first information can be various information.For example, the also ecological authentication information of random number, credit card number, telephone number, IP address, mark user fingerprints or iris etc. etc.In addition, so-called [second information] is to be used to judge whether the relation with the first information is the information of prescribed relationship.For example, whether identical second information can be to be used to judge the information with the first information.In addition, when with the binary representation first information and second information, also can be to be used to judge whether the difference of the first information and second information is the information of setting.

In the present invention, as the first information, second information of encrypting, can be thought of as can be by the information of digital signal performance.Therefore, authentication request device of the present invention and authenticate device can be realized by digital machine.As digital machine, not only suppose what desktop computer etc. was difficult to move, personal digital assistant) for example also consider portable phone, PDA (Personal Digital Assistance: computing machine movably such as.

Figure 33 represents whether the first information, (2) second information, (3) first information and second information that encrypts (1) exist the example of three combinations of the Rule of judgment of prescribed relationship.

Among Figure 33 (A), the first information of encrypting is the information (Encrypt (password)) encrypting the regulation password by the form that the decruption key that authenticate device keeps is deciphered, second information is the password of this regulation, Rule of judgment is, whether the first information gained information (Decrypt (first information of encryption)) of the decruption key enabling decryption of encrypted that is kept by authenticate device equals second information.

If the first information of encrypting is Encrypt (password), then because Decrypt (first information of encryption) becomes password, so if second information is password, the people who then imports second information is the people who knows the first information content of encryption.Therefore, import the proper keeper of the first information of the artificial encryption of second information, can authenticate.

Among Figure 33 (B), the first information of encryption is Encrypt (password).Second information is that password is applied the resulting information of predetermined processing (F (password)).So-called [predetermined processing] is meant processing predetermined between authentication request device and authenticate device.Preferably, this predetermined processing is as MD5 (Message Digest 5) or SHA1 (Sesure Hash Algorithm Versionl) etc., too much calculated amount, and be difficult to know its inverse function (this processing is called as irreversible operation or hash operations sometimes).By using this processing, can be difficult to know password from second information.

In Figure 33 (B), rated condition is whether F (Decrypt (first information of encryption)) equates with second information.This is because if the first information of encrypting is Encrypt (password), then F (Decrypt (first information of encryption)) becomes F (password).

In addition, among Figure 33 (B), predetermined processing (F) also can change along with the carrying out of authentication.For example, between authentication request device and authenticate device, obtain the synchronous of the moment, select F corresponding to current time.Or send the first information and second information of encrypting to authenticate device from the authentication request device earlier, send random number from authenticate device to the authentication request device afterwards, determine (for example to handle by this random number, the information of random number and input is connected (CONCATENATE), its result is carried out additional inverse operations such as MD5 or SHA1.)。

(example 1)

The functional block diagram of the authentication request device of Figure 34 example the invention process form 1.

Authentication request device 3400 is the devices to the authenticate device request authentication, has first information obtaining section 3401, the second information obtaining section 3402 and the sending part 3403 of encryption.

[first information obtaining section of encryption] 3401 obtains the first information 3404 of encryption.For example, from recording mediums such as input medias such as keyboard, floppy disk, CD, hard disk, storage card, obtain the first information 3404 of encryption.

Shown in Figure 35 (A), the first information 3404 of encryption can be the gained information of only first information being encrypted.Or shown in Figure 35 (B), for will be to the information after the additional additional information of the first information is encrypted gained information.Additional information is determined by authentication purpose.For example, if the first information of encrypting is represented electronic bill, then additional information is represented date and seat number.

[the second information obtaining section] 3402 obtains second information 3405.For example, from recording mediums such as input medias such as keyboard, floppy disk, CD, hard disk, storage card, obtain second information 3405.In addition, the also ecological authentication information of fingerprint or iris etc. of second information 3405.At this moment, the second information obtaining section 3402 becomes and obtains sensor that ecological authentication information uses or video camera etc.

The first information of the encryption that [sending part] 3403 obtained the first information of encrypting 3401 sends to described authenticate device with after second information that the second information obtaining section obtains is associated.

[association] there is no special implication, if not will give an example, then is while or time to go up the approaching meaning, and the first information of encryption and second information send separably.Much less, transmission can also can be undertaken by wireless by wired.

The functional block diagram of Figure 36 example authenticate device.

Authenticate device 3600 has acceptance division 3601, decruption key maintaining part 3602, decryption part 3603 and judging part 3604.

[acceptance division] 3601 receives the first information of the encryption of sending from the sending part of authentication request device and second information of related transmission with the first information of this encryption.After the first information that receives encryption and second information, be separated into the first information 3605 and second information 3607 of encryption.

The decruption key that [decruption key maintaining part] 3602 keeps the first information of enabling decryption of encrypted to use.Decruption key maintaining part 3602 keeps this common key under the situation that the first information is encrypted by common key.In addition, under the situation that the first information is encrypted by the public key encryption mode, for example under the situation of the first information by public key encryption, 3602 maintenances of decruption key maintaining part are corresponding to the privacy key of the disclosure key.So-called [maintenance] is the temporal continuation that has to a certain degree, can read the ground record.Therefore, decruption key maintaining part 3602 is for example waited by volatile memory, nonvolatile memory, hard disk and realizes.In addition, also can be by realizations such as IC-card with tamper-resistance properties.

[decryption part] 3603 utilizes the decruption key that keeps in the decruption key maintaining part 3602, the first information 3605 of the encryption that deciphering acceptance division 3601 receives, and obtain the first information 3606.That is, from decruption key maintaining part 3602, read decruption key, and the first information 3605 of enabling decryption of encrypted.If the first information of encrypting 3605 is that the first information and additional information are encrypted resulting information, then from decrypted result, obtain the first information.

The first information 3606 that [judging part] 3604 judged decryption part 3603 deciphering with whether have prescribed relationship with related second information 3607 that receives of the first information as the encryption of the first information before the deciphering.For example judge whether [Rule of judgment] shown in Figure 33 is set up.

The processing flow chart of Figure 37 (A) example authentication request device, the processing flow chart of Figure 37 (B) example authenticate device.

The authentication request device is obtained the first information of encryption from the first information obtaining section 3401 of encrypting in step S3701.

In step S3702, obtain second information from the second information obtaining section 3402.

In step S3703, send the first information and second information of encrypting by sending part 3403.

On the other hand, in step S3704, authenticate device receives the first information and second information of encrypting by acceptance division 3601.

In step S3705, obtain decruption key by decryption part 3603, and in step S3706, the first information with the decruption key enabling decryption of encrypted obtains the first information.

In step S3707, judge by judging part 3604 whether the first information and second information exist prescribed relationship.

Process flow diagram shown in Figure 37 for example, also can carry out synchronous processing, or send certain information from authenticate device to the authentication request device for handling an example between authentication request device and authenticate device before step S3701 and step S3704.

According to this example, a kind of authentication device and method can be provided, needn't be in secret informations such as authentication request device side storage key, the also processing that needn't encrypt.

(example 2)

The functional block diagram of the authentication request device of Figure 38 example the invention process form 2.

The authentication request device that the structure of authentication request device 3800 constitutes example 1 has the first information maintaining part 3801 of encryption.

[first information maintaining part of encryption] 3801 keeps the first information of encryption.For example, wait by storer, disk, CD and keep the first information encrypted.

In this example, the first information obtaining section 3401 of encryption obtains the first information of the encryption that keeps in the first information maintaining part 3801 of encryption.Therefore, the action of authentication request device 3800 is in process flow diagram shown in Figure 37 (A), at step S3701, obtains the first information of encryption from the first information maintaining part 3801 of encrypting.

According to this example, because the first information of encrypting is kept by the first information maintaining part 3801 of encrypting, so under situation about authentication request device 3800 being authenticated, can authenticate people to authentication request device 3800 inputs second information by authenticate device.

(example 3)

The functional block diagram of the authentication request device of Figure 39 example the invention process form 3.

The structure of authentication request device 3900 is that the authentication request device of example 1 or 2 has authentication information input part 3901 and authentication information adds the Ministry of worker 3902.

[authentication information input part] the 3901st, input is as the portion of authentication information that with the authentication is the information of purpose.For example, be the portion that predetermined password of input or encrypted number are used, for example keyboard or ten key.Perhaps, for obtaining sensor or the video camera that ecological authentication informations such as fingerprint or iris are used.

[authentication information adds the Ministry of worker] 3902 processing are from the authentication information of authentication information input part 3901 inputs.So-called [processing] is to implement certain computing.For example, carry out the computing that is connected with out of Memory, or carry out computing based on hash function algorithms such as MD5 or SHA1.

In this example, second information is the information after authentication information adds the Ministry of worker's 3902 processing.Therefore, the second information obtaining section 3402 obtains the information after authentication information adds the Ministry of worker's 3902 processing, as second information.

The authentication information processing processing that authentication information adds in the Ministry of worker 3902 can be used any processing.In addition, needn't carry out identical processing at every turn, same authenticated information is obtained the second identical information, can in the processing authentication information, obtain the second different information.Like this, by each different processing, even eavesdropping also can improve security from second information that sending part 3403 sends.

Even to carry out different processing at every turn, but in order authenticating,, must to discern authentication information and add the Ministry of worker 3902 and carried out which kind of processing in the authenticate device side that authenticates.Therefore, before authentication, between authenticate device and authentication request device, must carry out the synchronous processing of having carried out which kind of processing.For example, can prepare the algorithm of several processing in advance, send which algorithm to have processed authentication information to authenticate device with from the authentication request device.Perhaps, send which algorithm of application from authenticate device to the authentication request device and process authentication information.Perhaps, between authenticate device and authentication request device, make constantly synchronously, corresponding to constantly coming selection algorithm.

Also can not change the parameter that the processing algorithm changes algorithm.For example, on authentication information, connect out of Memory,, change out of Memory at every turn and be used as parameter the man-hour that adds that this result implements hash function.For this reason, between authentication request device and authenticate device, share this parameter.For example, send parameter to authenticate device, or send parameter to the authentication request device, or between authentication request device and authenticate device, make synchronously constantly, according to constantly determining parameter from authenticate device from the authentication request device.

The processing flow chart of the authentication request device of this example of Figure 40 (A) example.In step S4001, obtain the first information of encryption by the first information obtaining section 3401 of encrypting.For example, obtain, under the situation of the first information maintaining part 3801 that encryption is arranged, from wherein obtaining from the outside of authentication request device.

In step S4002, authentication information input part 3901 input authentication information.

In step S4003, authentication information adds the Ministry of worker's 3902 processing authentication informations, as second information.

In step S4004, sending part 3403 sends the first information and second information of encrypting.

The processing flow chart of the authenticate device of this example of Figure 40 (B) example.In step S4005, receive the first information and second information of encrypting.

In step S4006, obtain decruption key.

In step S4007, use the first information of decruption key enabling decryption of encrypted, and obtain the first information.

In step S4008, the processing first information.The identical algorithms of processing authentication information is carried out among processing use here and the step S4003, and in addition, use is in case of necessity processed identical algorithms used in the authentication information with the authentication request device and carried out.

In step S4009, judge whether the first information and second information after the processing exists prescribed relationship.As [prescribed relationship] example, identical relation is for example arranged.

According to this example,,, then be difficult to infer authentication information from second information so for example prove information Processing algorithm secret by making because send second information of encrypting and authenticating information gained.In addition, process, even the processing algorithm of authentication information is not secret, also be difficult to know authentication information, so can improve security from second information by using hash function.In addition,,, reduce cost, make the processing high speed so can simplify the authentication request device because the desired calculated amount of processing of hash (hash) function is lacked than general encryption.

(example 4)

The descriptive information associated apparatus is as example 4 of the present invention.So-called associating information device is the device that the first information of generation encryption is used.

The functional block diagram of Figure 41 example information associated apparatus.The associating information device has authentication information obtaining section 4101, first information generating unit 4102, encryption key maintaining part 4103 and adds compact part 4104.

[authentication information obtaining section] 4101 obtains authentication information.For example, from keyboard, ten key or storage card medium, obtain.Or also can obtain by the video camera of obtaining ecological authentication informations such as iris, fingerprint or sensor etc.Perhaps, also can obtain through the authentication information of network from transmissions such as places at interval.Security socket layer) etc. at this moment, expectation is by for example SSL (Secure Socket Layer: add the communication that the crammed network carries out.

[first information generating unit] 4102 authentication informations that utilize the authentication information obtaining section to obtain have certain relation ground with described authentication information and generate the first information.For example, can also can carry out the regulation calculation process and generate the first information with the authentication information former state as the first information authentication information.

[encryption key maintaining part] 4103 keeps encryption key.For example, in storer or hard disk etc., keep key.This encryption key can be the key that is used for the common key processing mode, also can be the key that is used for the public key encryption mode public-key cryptography of privacy key (for example corresponding to).

The first information that the first information generating unit 4104 that the encryption key that [adding compact part] 4104 keeps by encryption key maintaining part 4103 is encrypted generates.

The processing flow chart of Figure 42 example information associated apparatus.In step S4201, obtain authentication information by authentication information obtaining section 4101.

In step S4202, generate the first information by first information generating unit 4102.

In step S4203, obtain encryption key by adding compact part 4104, in step S4204, the first information of encrypting with encryption key.

Afterwards, the first information after encrypting as the first information of encrypting, is recorded in the medium such as storage card, or remains in the authentication request device.

By this example, can generate the first information of encryption.Especially because can generate the first information of encryption, so authenticate device and associating information device needn't communicate by network etc. by the device different with authenticate device.Thereby, can simplify, miniaturization authenticate device etc.

(embodiment)

The embodiment of the example that Figure 43 example illustrates before this.

Among Figure 43, diagram authentication request device 4301 and authenticate device 4302.Authentication request device 4301 possesses nonvolatile memory 4303.Nonvolatile memory 4303 can be to take out, and also can not take out.The information that nonvolatile memory 4303 keeps encrypting V_Auth.Be equivalent to the first information, the first information that the information of encryption V_Auth is equivalent to encrypt.In addition, nonvolatile memory 4303 also can keep user ID.User ID is the not too big value of probability that the time of encrypting V_Auth, the credit card number that the user holds etc. obtain same value.One of purpose of using user ID is identical and generate identical V_Auth when password is with other V_Auth of generation when preventing to generate V_Auth.In addition, the first information of encryption also can be represented the information of any purpose.

Generate V_Auth according to formula shown in Figure 44 first row.Here, [password] is the authentication information of regulation, and [||] expression links computing, by [password || user ID] represent user ID and password are linked resulting information.Hash1 is a hash function.

When 4301 pairs of authenticate device request authentication of authentication request device, (1) input authentication information.The user of authentication request device uses the authentication information input part to carry out this input.For example, import by keyboard or ten key, or ecological authentication informations such as input user's fingerprint or iris.

(2) be the processing that authentication information adds the Ministry of worker to (4), (2) obtain V_Auth ' according to formula shown in Figure 44 (2).Then, (3) receive inquiry from authenticate device 4302.So-called [inquiry] is the value that generates as required.The expectation authenticate device generates different value when sending at every turn, and is the value that is difficult to predict the value that generates below.If obtain V_Auth ' and receive inquiry, then (4) calculate U_Auth '.Obtain U_Auth ' according to formula shown in Figure 44 (4).Hash2 is a hash function, can be the function identical with Hash1, also function that can be different.

If obtain U_Auth ', then (5) obtain the information of the encryption V_Auth that stores in the nonvolatile memory, link, and (6) send to authenticate device 4302.

Afterwards, become the processing of authenticate device 4302, obtain the middle decruption keys that keep such as nonvolatile memory of authenticate device, (7) encrypt the deciphering of the information of the V_Auth that receives, obtain V_Auth.Then, (8) calculate U_Auth by V_Auth with the inquiry that sends to the authentication request device according to the formula (8) of Figure 44.At last, (9) contrast U_Auth and U_Auth '.When the authentication information of the input authentication request unit password when generating V_Auth equated, U_Auth equated with U_Auth ', so whether the user that can authenticate input authentication information thus is the people of the information distribution of acceptance encryption V_Auth.

In the authentication request device,,, can realize the waveformization, cost reduction of authentication request device etc. so the calculated amount that requires is little because the computing of using in the authentication information processing is to link and hash function.In addition, because use inquiry to process authentication information, so, also be difficult to produce privacy concerns even know the information that sends to authenticate device from the authentication request device.In addition, different in the authenticate device side with existing authentication method, needn't keep user ID, password.Therefore, can not limit the distribution of the information of encrypting V_Auth.

(example 5)

The electronic credit settlement system is described, as example 5 of the present invention.Figure 30 represents the block diagram of the electronic credit settlement system in this example 5.This electronic credit settlement system is made of the center 2 of all portable phones 1 of user, credit card company and the credit settlement terminal 3 that is arranged in the snacks shop, portable phone 1 is connected with the cordless communication network 4 of center 2 by portable phone, credit settlement terminal 3 is connected by credit settlement network 5 with center 2, portable phone 1 uses local radio communication function (radio communication of infrared communication, bluetooth, WLAN, contactless IC card etc.) 6 with credit settlement terminal 3, carries out special communications.In portable phone 1, download Java credit knot application program in advance.In addition, for the digital electronic signature of verifying that credit card company that electronic credit is implemented carries out, the permit of storage credit card company in credit settlement terminal 3, the master key Km of the encryption key of managing electronic credit in center 2 and credit settlement terminal 3.

At first, 2 download electronic credit (one of the credit card behind the electronic information, electronic values) from the center corresponding to all credits card of user to portable phone 1.Fig. 1 represents the electronic credit download step.At first, if the user starts Java credit settlement application program (100), display menu picture (101) then, if the user carries out electronic credit distribution solicit operation (102), the card number sign indicating number that then shows credit card and PIN, and corresponding to the picture (103) of the password (VPW) of the electronic credit of download.If user's input card number and PIN and password (104), then portable phone 1 with the hash operations of password (VPW) as a result Hash (vpw) as the comparable data of password, be stored in the storer of portable phone 1 (105), and according to the card number sign indicating number (CN) and the moment (T), generation customer identification information UID=Hash (CN||t) (※ || the binding of expression data), and be stored in (106) in the storer, and according to password (VPW) and customer identification information (UID), generating value authentication information F (VPW)=Hash (VPW||UID) (107) sends the electronic credit distribution request (108) that comprises card number sign indicating number and PIN and be worth authentication information F (VPW) to center 2.Center 2 is according to card number sign indicating number and PIN, and whether authentication is the possessory user of credit card (109), under the situation of authentication, imbeds in electronic credit and is worth authentication information F (VPW), generates electronic credit (ev) (110).And hash operations is worth (value) authentication information F (VPW), after linking with master key Km, carries out hash operations, generates the encryption key Kc=Hash (Km||Hash (F (VPW)) (111) of the common key cipher mode of encrypted electronic credit (ev).Use the encryption key Kc that generates, encrypted electronic credit (ev) generates electronic credit encrypt (ev)=Enc (Kc, ev) (112) after encrypting.Electronic credit encrypt (ev) after the encryption is sent to portable phone 1 (113), the electronic credit encrypt (ev) after encrypting is stored in the storer of portable phone (114), and portable phone 1 shows to download to be finished, and the download process of electronic credit is finished.

The data structure of the electronic credit 300 after the encryption as shown in Figure 3, the electronic credit before encrypting by the electronic credit information 301 of the card number sign indicating number of expression credit card, valid period, user name, publisher's name etc., credit card company to the digital electronic signature 302 of portions of electronics credit information 301 be worth authentication information F (VPW) 303 and constitute.

If stop Java credit settlement application program, then the password that the deletion user imports from storer.The data that keep in the storer of portable phone are the data behind the hash operations password, suppose that portable phone stolen by the third party, even analyzed inner storer, also needn't worry to know password.

Below, illustrate that with Fig. 2 the electronic credit that uses download carries out the step of credit settlement.Credit settlement terminal 3 generates random number R, as credit information.If the user starts Java credit settlement application program (201), then display menu picture (202) if the user carries out electronic credit settlement operations (203), then shows the picture (204) of input corresponding to the password (VPW) of electronic credit.(VPW ') (205) if the user enters password, then portable phone 1 calculates the hash data Hash (VPW ') of password (VPW '), and with storer in the Hash (VPW) of the comparable data of storing contrast authenticated (206).With the inconsistent situation of comparable data under, show wrong (record among the figure), under the situation consistent, receive electronic credit request (207) from credit settlement terminal 3 with comparable data.Comprise random number R in the electronic credit request, the password of portable phone 1 use user input (VPW '), calculate to be worth respectively authentication information F (VPW ')=Hash (VPW ' || UID), and be worth the hash data Hash (F (VPW ') of authentication information F (VPW ') and the binding of random number R || R), be worth the hash data Hash (F (VPW ') of authentication information) (208), electronic credit encrypt (ev) after encrypting, with Hash (F (VPW ') || R) with Hash (F (VPW ')) send to credit settlement terminal 3, as electronic credit (209).The hash data Hash of the value authentication information that credit settlement terminal 3 bases receive (F (VPW ')) and master key Km, calculate it and link Hash, decruption key the Kc '=Hash of the common key cipher mode of the electronic credit after generation is encrypted (Km||Hash (F (VPW '))), the password (210) of deciphering electronic credit.Credit settlement terminal 3 takes out from the electronic credit (ev) after the deciphering and is worth authentication information F (VPW)), the Hash of the binding of calculating and random number R (F (VPW) || R), with the Hash that receives from portable phone 1 (F (VPW ') || R) contrast, under the situation of unanimity, authenticated is the proper owner (211) of electronic credit.Under inconsistent situation, show mistake (not being recorded among the figure) to the user.And credit settlement terminal 3 checking digital electronic signatures 302 (212) detecting under the wrong situation, show mistake to the user.In the checking (212) of digital electronic signature 302, do not detecting under the wrong situation, credit settlement terminal 3 sends authentication result (213) to portable phone 1, and, admit request (215) to what center 2 sent credit settlements, (216) are admitted to handle in center 2, and 2 send to credit settlement terminal 3 and to admit request response (217) from the center, and the credit settlement of credit settlement terminal 3 is finished dealing with.On the other hand, the portable phone 1 that receives authentication result shows finishes (214), finishes the credit settlement of electronic credit and handles.At this moment, if stop Java credit settlement application program, the then password that also the deletion user imports from storer.

The data of exchange all are hash operations or data encrypted between portable phone 1 and credit settlement terminal 3, so even the hypothesis third party eavesdrops communicating by letter between portable phone 1 and the credit settlement terminal 3, can not use the data that intercept to pretend to be.

In the above description, the authentication information of establishing corresponding to electronic credit is a password, but also can be used as ecological information such as user's fingerprint or iris.At this moment, portable phone 1 possesses the function of finger print identifying sensor or iris authentication video camera etc.

In addition, in this example 5, the electronic credit settlement system has been described, but, also same certification authority can be used for the pay out or withdraw cash authentication processing of settlement system or electronic billing system, electronics through ticket system or other electronic values such as membership card or ID card of electronics by the partial content of electronic credit information 301 of change electronic credit.For example, under electronics is paid out or withdraw cash the situation of settlement system, can only in the part of electronic credit information 301, input information such as account No., user name, publisher's name.

(example 6)

Below, the electronic information settlement system of using corresponding to multiple credit card and a plurality of assignee's (ア Network ワ イ ア ラ) pocket credit settlement terminal is described, as example 6 of the present invention.In this example 6, the multiple electronic credit of portable phone management (ev: electronic values a kind of), and the electronic credit (ev) that uses the user to select as the credit card behind the electronic information, and settle accounts between the pocket credit settlement terminal.Because credit settlement terminal is a pocket,, settle accounts at prostitution scenes such as sales counter or places so salesman's portability credit settlement terminal of shop allied such as snacks shop or shop, restaurant does not for example make client (user) wait for.

Fig. 4 represents the structured flowchart of the electronic credit settlement system in this example 6.The credit settlement terminal 403 that this electronic credit settlement system is held by the salesman of the center 2 of all portable phones 401 of user, credit card company, shop allied, to shop allied provide the credit settlement service assignee 404, connect the network 405 between portable phone 401 and the center 402 and be connected credit settlement terminal 403 and assignee 404 between network 406 constitute.

Network 405 is made of the cordless communication network and the Internet of portable phone, can communicate based on the radio communication of portable phone 401 with center 402.In the communicating by letter of portable phone 401 and center 402, security socket layer) or the secret telephony phase (security session) of TLS (Transport Layer Security: transport layer is encrypted) etc. usually establish SSL (Secure Socket Layer:, transmit after the coded communication data.

Network 406 is made of cordless communication network and credit settlement network, can carry out credit settlement terminal 403 and assignee's 404 the communicating by letter of radio communication.Portable phone 401 uses local radio communication functions (radio communication of infrared communication, bluetooth, WLAN, contactless IC card etc.) with credit settlement terminal 403, comprehensively connects and communicates by letter.Center 402 uses industrial siding to communicate with assignee 404.

Credit settlement terminal 403 is corresponding to the clearing of multiple electronic credit, and also corresponding under the different situation of assignee.Therefore, among Fig. 4, center and assignee only illustrate one, but in fact credit settlement terminal 403 is connected with a plurality of assignees through network 406, and carry out credit settlement between the center of a plurality of credit card companies and handle.

Wallet (ワ レ Star ト) application program with managing electronic credit (ev) downloads in the portable phone 401 in advance.In addition, for the clearing corresponding to multiple credit card, to every kind of card storage card information, the master key (Km) of the encryption key of electronic credit (ev) encryption section is deciphered in management in center 402 and credit settlement terminal 403 in credit settlement terminal 403.

Fig. 5 is the block diagram of the inner structure of expression credit settlement terminal 403.Credit settlement terminal 403 comprises: CPU (Central Processing Unit: central processing unit) 500, according to ROM (Read Only Memory: ROM (read-only memory)) program stored in 502, carry out EEPROM (Electrically Erasable Programmable ROM: the processing of the data processing of storage and transceiver data in 503 electricallyerasable ROM (EEROM)), reach and carry out the control of other textural element through bus 513; LCD505, local radio communication I/F510; The wireless communication part 511 of the wireless data communications that the key control portion 509 of switch 508, the detector switch operation of secret draw-in groove 501, operation credit settlement terminal, the acoustic processing portion 507 that drives loudspeaker 506, control carry out through antenna 512; With sector card 501.

Local radio communication I/F510 is the communication I/F of radio communication of infrared communication or bluetooth, WLAN, contactless IC card etc., comprehensively is connected in portable phone and communicates.

Sector card 501 be safety management master key (Km), and safety carry out the device that the electronic credit authentication processing is used, by TRM portion (Tamper Resistant Module: tamper-resist module) 514 and flash memory portion 515 constitute.TRM portion 514 is made of CPU516, ROM517, RAM518, EEPROM519 and coprocessor 520, has the anti-tamper function that prevents from the improper visit in outside.

Flash memory portion 515 encrypts respectively and store electrons credit information tabulation 601 and clearing record information 602 as shown in Figure 6.Electronic credit information list 601 is login tabulations about the electronic credit information of the corresponding kind of credit settlement terminal, and clearing record information 602 is record informations of the electronic credit clearing carried out of credit settlement terminal.CPU516 control coprocessor 520 carries out electronic credit information list 601 and the encryption and the deciphering of settling accounts record information 602.

Fig. 6 is illustrated in situation about logining in the electronic credit information list 601 about the information of 4 kinds of electronic credits (ev).In electronic credit information list 601, to a kind of electronic credit (ev) difference register kind, master key (Km), credit card company's permit, negative tabulation, assignee's information, crisis management information.

The card type class is the identifying information of expression electronic credit (ev) kind, master key (Km) is the master key of the encryption key of deciphering this electronic credit (ev) encryption section, credit card company's permit is the permit of the credit card company of this electronic credit of distribution (ev), negative tabulation is the tabulation of the card number sign indicating number (identifying information) of electronic credit (ev) invalid with regard to this electronic credit (ev), assignee's information is the relevant information that the assignee of the credit settlement service that relates to this electronic credit (ev) is provided, and crisis management information is the information of using when judging on-line authentications such as whether carrying out the place restriction under the situation of this electronic credit (ev) being carried out settlement process etc.

The multimedia messages of acoustic information such as the effect sound of using in the time of in addition, also can be in the electronic credit information list 601 and image information etc. to every kind of electronic credit (ev) login electronic credit settlement process.For example, by kind or intrinsic acoustic information and the image information of credit card kind login to this electronic credit (ev), when finishing, clearing export this effect sound from loudspeaker, displays image information on LCD can conclusively show the electronic credit (ev) that has used this kind (or credit card kind).

Control visit by the CPU516 of sector card 501 to canned data in the flash memory portion 515, credit settlement terminal 403 is through the TRM of sector card 501 one 514, clearing record information 602 is write and reads, but electronic credit information list 601 only can read, and can not write.In addition, in electronic credit information list 601, being controlled to master key (Km) can not read and can not write from credit settlement terminal 403.

Sector card 501 and assignee establish the communication session phase of encrypting through credit settlement terminal 403 and network 406 in the electronic credit information list 601, upgrade in case of necessity.For example,, carry out appending or the renewal of deletion, crisis management information of electronic credit information according to shop allied and assignee's contract, in addition, in order to improve security, more new master key (Km) or negative tabulation.

Portable phone 401 possesses local radio communication I/F, and the wallet application program of portable phone 401 comprehensively is connected with credit settlement terminal 403 through local radio communication I/F, uses the electronic credit (ev) of wallet application program management to carry out the electronic credit clearing.

In the storer (nonvolatile memory) of portable phone 401, as shown in Figure 7, storage wallet display message 701, wallet acoustic information 702, electronic credit tabulation 703 are as the information of wallet application program management.Wallet display message 701 is that the wallet application program is shown in display message such as the image that uses in the picture in the portable phone or map information, wallet acoustic information 702 is acoustic informations such as the effect sound used of wallet application program or melodic information, and electronic credit tabulation 703 is tabulations of the electronic credit (ev) of wallet application program management.

Fig. 7 represents the situation of 3 electronic credits of login (ev) in the electronic credit tabulation 703.In the electronic credit tabulation 703,1 electronic credit (ev) is logined comparable data, customer identification information (UID), electronic credit (ev), attribute respectively.The back describes comparable data and customer identification information (UID) in detail.Attribute is the attribute information that electronic credit (ev) is set, for example, and the effect sound of using when order when setting the guide look of wallet application program demonstration electronic credit or electronic credit clearing or the action of LED or Vib. etc.For example the user selectively carries out setting the order that shows electronic credit corresponding to usage frequency, the sound of output when wallet acoustic information 702 is selected to be set in the electronic credit clearing and finished or during the clearing failure respectively, make the LED flicker when finishing in the electronic credit clearing, or when the clearing failure, make the Vib. action.

Fig. 8 represents the data structure of electronic credit (ev).Electronic credit is made of with information 805 electronic credit public information 801, security information 800 and demonstration substantially.Security information 800 is the information of using in the electronic credit authentication processing, is encrypted by the encryption key that generates according to master key (Km).In addition, show display message such as photo with the identifier marking of information 805 credit card that to be wallet application programs use when the screen displayed electronic credit or user, placement information, pass through set of options.Therefore, by electronic credit (ev), have and hold and do not hold the information that shows with information 805.

Electronic credit public information 801 be the card type class, card number sign indicating number, valid period, user name, publisher's name etc. of record electronic credit relate to electronic credit, should be to the part of the disclosed information of user, the wallet application program is used this electronic credit public information 801 when electronic credit is shown in picture.

Security information 800 also is made of with signature information 804 electronic credit secret information 802, value authentication information 803.The back describes in detail and is worth authentication information 803.

Electronic credit secret information 802 be the crisis management information set of record credit card company etc. relate to electronic credit, may not be to the part of the disclosed information of user, be when electronic credit settle accounts, the information that judges whether credit settlement terminal 403 clear crytpographic keys and carry out uses in the on-line authentication etc.

Signature information 804 is digital electronic signatures that credit card company carries out the data of electronic credit secret information 802 before linking electronic credit public information 801 and encrypting and value authentication information 803, be used for when electronic credit is settled accounts, by credit settlement terminal 403 clear crytpographic keys, by checking digital electronic signature, the validity of checking electronic credit (ev).

The digital electronic signature that expectation signature information 804 preferably generates based on public key encryption mode, the sufficiently long key of use key length in security, but also can be judgement, the data of electronic credit secret information 802 before linking electronic credit public information 801 and encrypting and value authentication information 803 be carried out the result of hash operations by credit card company.

Below, illustrate that at first the user 402 downloads to the step of portable phone 401 with electronic credit (ev) from the center.Fig. 9 represents the download step of electronic credit (ev).At first, if the user starts wallet application program (900), display menu picture (901) then, if the user selects to carry out electronic credit distribution solicit operation (902) by menu, then corresponding to the card number sign indicating number of electronic credit and PIN (Personal Identification Number: PIN) and the electronic credit of downloading (ev), show the value password that the input user sets (VPW:＜U〉v＜/U alue＜U p＜/U ass＜U w＜/U ord) picture (903).Card number sign indicating number and PIN that the card number sign indicating number of this moment and PIN are the existing credit card of user, the electronic credit of download is given the position of its subcard.In addition, also can not give the position of subcard, also can issue electronic credit, as the new contract of user and credit card company.At this moment, inform personality card number and PIN that electronic credit use by postal delivery etc. to the user from credit card company.

If user's input card number and PIN and value password (904), then portable phone 401 will be worth the comparable data of hash operations Hash (VPW) the conduct as a result value password of password (VPW), be stored in the storer of portable phone 401 (905), and according to the card number sign indicating number (CN) and the moment (T), generation customer identification information UID=Hash (CN||T) (※ || the binding of expression data) and be stored in (906) in the storer, and will comprise card number sign indicating number (CN), PIN, customer identification information (UID) sends to center 402 (907) with the electronic credit distribution request that is worth password (VPW).At this moment, in comparable data Hash (VPW) and customer identification information UID=Hash (CN||T) the electronic credit tabulation 703 on the storer of portable phone 401, as the data that relate to newly downloaded electronic credit, be stored in respectively in the field of comparable data and customer identification information.

The center 402 that receives electronic credit distribution request is according to card number sign indicating number (CN) and PIN, whether authenticated is to become the distribution possessory user of electronic credit (908), under the situation of authentication, center 402 is according to being worth password (VPW) and customer identification information (UID), generating value authentication information F (VPW)=Hash (VPW||UID) (909), hash operations is worth authentication information F (VPW), Km is connected with master key, and carry out hash operations, generate the encryption key Kc=Hash (Km||Hash (F (VPW)) (910) of the common key cipher mode of encrypted electronic credit (ev).Center 402 also generates the electronic credit public information of electronic credit (ev), and according to user's credit information and the risk assessment result who is worth password (VPW), generate the electronic credit secret information, and use value authentication information F (VPW) and the encryption key that generates, generate electronic credit (ev) (911) with data structure shown in Figure 8.At this moment, under the situation according to card number sign indicating number (CN) and PIN unauthenticated user, 402 to portable phone 401 transmission error messages from the center, stop the download process (record among the figure) of electronic credit (ev).

The electronic credit (ev) that generates is sent to portable phone 401 (912), and electronic credit (ev) is stored in the storer of portable phone (913), and portable phone 401 shows to download finishes (914), finishes the download process of electronic credit.At this moment, electronic credit (ev) is as new electronic credit, is stored in the electronic credit tabulation 703 on the storer of portable phone 401.In addition, attribute is set default property, in default setting, the sound that uses when not setting the electronic credit clearing.

In addition, in the step (904) of Fig. 9, user's decision operation has precedence over the security of electronic credit clearing, under the situation of stated value password not, portable phone 401 is not worth the hash operations of password (VPW) in step (905), expression is set empty to the comparable data field of electronic credit tabulation 703, and stated value password (VPW) not, in step (907), the field that is worth password (VPW) is set sky, and send the electronic credit settlement requests, in step (909), hash operations customer identification information (UID), generating value authentication information F (VPW)=Hash (UID).

In addition, if stop the wallet application program, then from the storer of portable phone 401, delete the value password (VPW) of user's input.The comparable data that keeps in the storer of portable phone is the data after hash operations is worth password, even the hypothesis third party steals portable phone, and analyzes the content of inner storer, also needn't worry to know the value password.

Below, the step of using the electronic credit of downloading (ev) to carry out the electronic credit clearing is described.Figure 10 represents to use the step of the electronic credit clearing of electronic credit (ev).At first, if the salesman of shop allied begins the operation (input settlement amounts etc.) of electronic credit clearing, then credit settlement terminal 403 generates random number R, as inquiry message (1000).Random number R obtains from sector card 501, is actually that the CPU516 of sector card 501 generates.In case the user starts wallet application program (1001), display menu picture (1002) then, if the user selects the electronic credit that uses by menu, and carries out electronic credit settlement operations (1003), then show the picture (1004) of input corresponding to the value password of electronic credit.

If user's value of import password (VPW ') (1005), then portable phone 401 calculates the hash data Hash that is worth passwords (VPW ') (VPW '), and contrast authenticated (1006) with the Hash (VPW) of comparable data of corresponding electronic credit in the electronic credit tabulation 703.With the inconsistent situation of comparable data under, show wrong (record among the figure), under the situation consistent, receive electronic credit requests (1007) from credit settlement terminal 403 with comparable data.In the electronic credit request, comprise random number R and user terminal control information.The action information of control portable phone 401 when the user terminal control information is the electronic credit clearing, setting credit card company sets and is undertaken by shop allied the pairing control information of environment of electronic credit clearing.Particularly, the user terminal control information is the control user control that could use the effect sound that is set at the electronic credit attribute, its level of sound volume, and the information of the action of control LED and Vib..By the user terminal control information, for example at quiet environment such as hospitals, because big noise is out of favour, the low degree that can discern to the user with the level of sound volume setting, perhaps, forbid the output of effect sound,, can represent clearly whether authentication processing is successful to the user by the action of control LED and Vib..In addition, in the big environment of noises such as busy street, the very high of sound volume setting can be represented clearly to the user whether authentication processing is successful.

The value password of portable phone 401 use user inputs (VPW '), calculate to be worth respectively authentication information F (VPW ')=Hash (VPW ' || UID), and be worth the hash data Hash (F (VPW ') of authentication information F (VPW ') and the binding of random number R || R), be worth the hash data Hash (F (VPW ') of authentication information) (1008), with Hash (F (VPW ') || R), Hash (F (VPW ')) and the service terminal control information send with electronic credit (ev), as message (1009) to credit settlement terminal 403 prompting electronic credits.At this moment, do not send the part of the demonstration of electronic credit (ev) with information 805.The information of credit settlement terminal 403 action usefulness was set the control information of the electronic credit attribute of setting based on the user when service terminal control information was the clearing of control electronic credit.For example, particularly, allow to use the effect sound of user's setting in the user terminal control information, the attribute of electronic credit is set under the situation of the effect sound of exporting when the electronic credit clearing are finished, the service terminal control information is the information that the electronic credit of restriction credit settlement terminal 403 is settled accounts voice output when finishing.

After credit settlement terminal 403 is at first verified the validity (checking of card number sign indicating number and valid period) of content of electronic credit public information 801 of the electronic credit (ev) that receives, with the electronic credit (ev) that receives, Hash (F (VPW ') || R) and Hash (F (VPW ')) send to sector card 501, in sector card 501, carry out electronic credit (ev) and user's offline authentication.In the checking of the content validity of electronic credit public information 801, detecting under the wrong situation, send error messages from credit settlement terminal 403 to portable phone 401, stop the processing (record among the figure) of electronic credit clearing.

The field of the card type class in the sector card 501 contrast electronic credit public informations 801 and the card type class of electronic credit information list 601, determine to use in the processing afterwards the information (master key (Km), credit card company's permit, negative tabulation, assignee's information, crisis management information) that relates to which kind of electronic credit in the electronic credit information list 601, also contrast the card number sign indicating number and negative tabulation of electronic credit (ev), checking electronic credit (ev) is not logined in negative tabulation (1010).

At this moment, in electronic credit information list 601 not shown in the card type class of the electronic credit (ev) that receives of login under the situation of the electronic credit of kind, or under the situation of the electronic credit that receives (ev) login in negative tabulation, sector card 501 returns mistake to credit settlement terminal 403, subsequently, send error message from credit settlement terminal 403 to portable phone 401, stop the processing (not record among the figure) of electronic credit clearing.

Then, sector card 501 calculates the hash data Hash (F (VPW ') of the value authentication information that receives) with the binding hash data of master key Km, decruption key the Kc '=Hash of the common key cipher mode of the part of the security information 800 of the sub-credit of generating solution cipher telegram (Km||Hash (F (VPW '))), and the security information 800 (1011) of using coprocessor 520 to decipher electronic credit.

Sector card 501 takes out from the security information 800 after the deciphering and is worth authentication information 803F (VPW), and the hash data Hash of the binding of calculating and random number R (F (VPW) || R), with the Hash that receives from portable phone 401 (F (VPW ') || R) contrast, under the situation of unanimity, authenticated is the proper owner (1012) of electronic credit.And sector card 501 uses the public-key cryptography in credit card company's permit to verify the signature information 804 of the security information 800 of utilizing coprocessor 520 deciphering, and (1013) are not distorted or forge to checking electronic credit (ev).Hash (F (VPW) || R) with Hash (F (VPW ') || R) under the inconsistent situation, or in signature Information Authentication (1013), detect under the wrong situation, sector card 501 returns mistake to credit settlement terminal 403, and send error messages to portable phone 401 from credit settlement terminal 403, stop the processing (record among the figure) of electronic credit clearing.

In signature Information Authentication (1013), do not detect under the wrong situation, promptly verified under the situation of validity of electronic credit (ev), sector card 501 judges whether to carry out on-line authentication, settlement process action (1014) according to the electronic credit secret information 802 of crisis management information and electronic credit (ev).

In the step (1014) of Figure 10, be judged as under the situation of carrying out on-line authentication, sector card 501 is finished to credit settlement terminal 403 demonstration offline authentication, ask on-line authentication simultaneously, credit settlement terminal 403 sends authentication result (1015) to portable phone 401, and according to assignee's information, admit request (1017) to what assignee 404 sent the electronic credits clearing, assignee 404 admits request (1018) to what center 402 sent the electronic credits clearing, (1019) are admitted to handle in center 402,402 send to assignee 404 and to admit request response (1020) from the center, and admit request response (1021) from assignee 404 to credit settlement terminal 403 transmissions, finish the electronic credit settlement process in the credit settlement terminal 403.On the other hand, the portable phone 401 that receives authentication result shows finishes (1016), finishes the electronic credit settlement process.

Being judged as in the step (1014) of Figure 10 to carry out under the situation of on-line authentication, sector card 501 is finished to credit settlement terminal 403 demonstration offline authentication, credit settlement terminal 403 sends authentication result (1015) to portable phone 401, finish the electronic credit settlement process, the portable phone 401 that receives authentication result shows finishes (1016), finishes the electronic credit settlement process.

In addition, if credit settlement terminal 403 finishes the electronic credit settlement process, then record information is logined in the clearing record information 602 of sector card 501, according to the information of login in electronic credit information list 601 and the service terminal control information that receives, expression electronic credit settlement process is finished.For example, under the situation of login acoustic information, credit settlement terminal 403 is exported these acoustic informations in electronic credit information list 601, as effect sound, in addition, under the situation to service terminal control information restriction voice output, credit settlement terminal 403 is the output effect sound not.

If portable phone 401 finishes the electronic credit settlement process, then according to the attribute of the electronic credit that uses and the user terminal control information that receives, demonstration electronic credit settlement process is finished.For example, the attribute of electronic credit is set the acoustic information of exporting when the electronic credit clearing are finished, and allow the user terminal control information to use the effect sound that attribute is set, under the situation of specifying level of sound volume, portable phone 401 is with the level of sound volume output sound information of appointment, as effect sound, in addition, under the situation of forbidding the effect sound that user terminal control information use is set attribute, portable phone 401 is the output effect sound not.In addition, portable phone 401 too according to the attribute of the electronic credit that uses and the user terminal control information that receives, shows the failure of electronic credit settlement process when stopping the processing of electronic credit clearing after credit settlement terminal 403 sends error message.

In addition, in electronic credit settlement operations (1003), select the user under the situation of the electronic credit of stated value password not, do not carry out step (1004), the step (1005) of Figure 10, the processing of step (1006), portable phone 401 receives electronic information request (1007) from credit settlement terminal 403, in the processing of step (1008), hash operations customer identification information (UID), calculating value authentication information (F (VPW '))=Hash (UID).

In addition, be not based on the digital electronic signature of public key encryption mode in the signature information 804 of the electronic credit that receives (ev), but kind is to linking electronic credit public information 801, with electronic credit secret information 802 and be worth under hash operations result's the situation of electronic credit (ev) of data of authentication information 803, in the processing of checking (1013) of signature information, the hash data of the data of the electronic credit public information 801 of the electronic credit that calculating receives binding (ev) and the electronic credit secret information 802 behind the clear crytpographic key and value authentication information 803, contrast signature information 804, checking electronic credit (ev) is not distorted or is forged.

In addition, under the situation of these electronic credit clearing,, then from storer, delete the value password of user's input and be worth authentication information if also stop the wallet application program.In the data that between portable phone 401 and credit settlement terminal 403, exchange, the data that are used for authentication processing all are to have carried out hash operations or ciphered data, therefore, eavesdrop communicating by letter between portable phone 401 and the credit settlement terminal 403 even suppose the third party, also can't use the data that intercept to pretend to be.

Below, the another step of using the electronic credit of downloading (ev) to carry out the electronic credit clearing is described.Figure 11 represents to use in this example the another step of the electronic credit clearing of electronic credit (ev), in the step of Figure 10, initial user initiates self the wallet application program, and in step shown in Figure 11, according to the message that receives from credit settlement terminal 403, start the wallet application program.

At first, if the salesman of shop allied operates beginning electronic credit clearing (input settlement amounts etc.), then credit settlement terminal 403 generates random number R, as inquiry message (1100).This random number R obtains from sector card 501, is actually that the CPU516 of sector card 501 generates.In case the user carries out receiving from credit settlement terminal 403 operation (1101) of message, then portable phone 401 receives electronic credit request (1102) from credit settlement terminal 403.In the electronic credit request, comprise settlement amounts, random number R and user terminal control information.

The portable phone 401 that receives the electronic credit request starts the wallet application program, show and inquire about the dialog box (1103) of the settlement amounts that receives being used which electronic credit, if the user selects the electronic credit that uses by menu, when carrying out electronic credit settlement operations (1104), show the picture (1105) of input corresponding to the value password of electronic credit.

In case user's value of import password (VPW ') (1106), then portable phone 401 calculates the hash data Hash that is worth passwords (VPW ') (VPW '), and contrast authenticated (1107) with the Hash (VPW) of comparable data of corresponding electronic credit in the electronic credit tabulation 703.With the inconsistent situation of comparable data under, show wrong (not record among the figure), under the situation consistent with comparable data, the value password of portable phone 401 use user inputs (VPW '), the authentication information of calculating value respectively F (VPW ')=Hash (VPW ' || UID), and be worth the hash data Hash (F (VPW ') of authentication information F (VPW ') and the binding of random number R || R), the hash data Hash of value authentication information (F (VPW ')) (1108), with Hash (F (VPW ') || R), Hash (F (VPW ')) and the service terminal control information send with electronic credit (ev), as message (1009) to credit settlement terminal 403 prompting electronic credits.At this moment, do not send the part of the demonstration of electronic credit (ev) with information 805.

After credit settlement terminal 403 is at first verified the validity (checking of card number sign indicating number and valid period) of content of electronic credit public information 801 of the electronic credit (ev) that receives, with the electronic credit (ev) that receives, Hash (F (VPW ') || R) and Hash (F (VPW ')) send to sector card 501, in sector card 501, carry out electronic credit (ev) and user's offline authentication.In the checking of the content validity of electronic credit public information 801, detecting under the wrong situation, send error messages from credit settlement terminal 403 to portable phone 401, stop the processing (record among the figure) of electronic credit clearing.

The field of the card type class in the sector card 501 contrast electronic credit public informations 801 and the card type class of electronic credit information list 601, determine to use in the processing afterwards the information (master key (Km), credit card company's permit, negative tabulation, assignee's information, crisis management information) that relates to which kind of electronic credit in the electronic credit information list 601, also contrast the card number sign indicating number and negative tabulation of electronic credit (ev), checking electronic credit (ev) is not logined in negative tabulation (1110).

At this moment, in electronic credit information list 601 not shown in the card type class of the electronic credit (ev) that receives of login under the situation of the electronic credit of kind, or under the situation of the electronic credit that receives (ev) login in negative tabulation, sector card 501 returns mistake to credit settlement terminal 403, subsequently, send error message from credit settlement terminal 403 to portable phone 401, stop the processing (not record among the figure) of electronic credit clearing.

Then, sector card 501 calculates the hash data Hash (F (VPW ') of the value authentication information that receives) with the binding hash data of master key Km, decruption key the Kc '=Hash of the common key cipher mode of the part of the security information 800 of the sub-credit of generating solution cipher telegram (Km||Hash (F (VPW '))), and the security information 800 (1111) of using coprocessor 520 to decipher electronic credit.

Sector card 501 takes out from the security information 800 after the deciphering and is worth authentication information 803F (VPW), and the hash data Hash of the binding of calculating and random number R (F (VPW) || R), with the Hash that receives from portable phone 401 (F (VPW ') || R) contrast, under the situation of unanimity, authenticated is the proper owner (1112) of electronic credit.And sector card 501 uses the public-key cryptography in credit card company's permit to verify the signature information 804 of the security information 800 of utilizing coprocessor 520 deciphering, and (1113) are not distorted or forge to checking electronic credit (ev).Hash (F (VPW) || R) with Hash (F (VPW ') || R) under the inconsistent situation, or in signature Information Authentication (1113), detect under the wrong situation, sector card 501 returns mistake to credit settlement terminal 403, and send error messages to portable phone 401 from credit settlement terminal 403, stop the processing (record among the figure) of electronic credit clearing.

In signature Information Authentication (1113), do not detect under the wrong situation, promptly verified under the situation of validity of electronic credit (ev), sector card 501 judges whether to carry out on-line authentication, settlement process action (1114) according to the electronic credit secret information 802 of crisis management information and electronic credit (ev).

In the step (1114) of Figure 11, be judged as under the situation of carrying out on-line authentication, sector card 501 is finished to credit settlement terminal 403 demonstration offline authentication, ask on-line authentication simultaneously, credit settlement terminal 403 sends authentication result (1115) to portable phone 401, and according to assignee's information, admit request (1117) to what assignee 404 sent the electronic credits clearing, assignee 404 admits request (1118) to what center 402 sent the electronic credits clearing, (1119) are admitted to handle in center 402,402 send to assignee 404 and to admit request response (1120) from the center, and admit request response (1121) from assignee 404 to credit settlement terminal 403 transmissions, finish the electronic credit settlement process in the credit settlement terminal 403.On the other hand, the portable phone 401 that receives authentication result shows finishes (1116), finishes the electronic credit settlement process.

Being judged as in the step (1114) of Figure 11 to carry out under the situation of on-line authentication, sector card 501 is finished to credit settlement terminal 403 demonstration offline authentication, credit settlement terminal 403 sends authentication result (1115) to portable phone 401, finish the electronic credit settlement process, the portable phone 401 that receives authentication result shows finishes (1116), finishes the electronic credit settlement process.

In addition, if credit settlement terminal 403 finishes the electronic credit settlement process, then record information is logined in the clearing record information 602 of sector card 501, according to the information of login in electronic credit information list 601 and the service terminal control information that receives, expression electronic credit settlement process is finished.For example, under the situation of login acoustic information, credit settlement terminal 403 is exported these acoustic informations in electronic credit information list 601, as effect sound, in addition, under the situation to service terminal control information restriction voice output, credit settlement terminal 403 is the output effect sound not.

If portable phone 401 finishes the electronic credit settlement process, then according to the attribute of the electronic credit that uses and the user terminal control information that receives, demonstration electronic credit settlement process is finished.For example, the attribute of electronic credit is set the acoustic information of exporting when the electronic credit clearing are finished, and allow the user terminal control information to use the effect sound that attribute is set, under the situation of specifying level of sound volume, portable phone 401 is with the level of sound volume output sound information of appointment, as effect sound, in addition, under the situation of forbidding the effect sound that user terminal control information use is set attribute, portable phone 401 is the output effect sound not.In addition, portable phone 401 too according to the attribute of the electronic credit that uses and the user terminal control information that receives, shows the failure of electronic credit settlement process when stopping the processing of electronic credit clearing after credit settlement terminal 403 sends error message.

In addition, in electronic credit settlement operations (1104), select the user under the situation of the electronic credit of stated value password not, do not carry out step (1105), the step (1106) of Figure 11, the processing of step (1107), portable phone 401 advances to the processing of step (1108), hash operations customer identification information (UID), calculating value authentication information (F (VPW '))=Hash (UID).

In addition, be not based on the digital electronic signature of public key encryption mode in the signature information 804 of the electronic credit that receives (ev), but kind is to linking electronic credit public information 801, with electronic credit secret information 802 and be worth under hash operations result's the situation of electronic credit (ev) of data of authentication information 803, in the processing of checking (1113) of signature information, the hash data of the data of the electronic credit public information 801 of the electronic credit that calculating receives binding (ev) and the electronic credit secret information 802 behind the clear crytpographic key and value authentication information 803, contrast signature information 804, checking electronic credit (ev) is not distorted or is forged.

In addition, under the situation of these electronic credit clearing,, then from storer, delete the value password of user's input and be worth authentication information if also stop the wallet application program.In the data that between portable phone 401 and credit settlement terminal 403, exchange, the data that are used for authentication processing all are to have carried out hash operations or ciphered data, therefore, eavesdrop communicating by letter between portable phone 401 and the credit settlement terminal 403 even suppose the third party, also can't use the data that intercept to pretend to be.

In the above explanation of this example 6, though described the electronic credit settlement system, but, also same certification authority can be used for the pay out or withdraw cash authentication processing of settlement system or other electronic values such as membership card or ID card of electronics by the electronic credit public information 801 of change electronic credit and the partial content of electronic credit secret information 802.For example, under electronics is paid out or withdraw cash the situation of settlement system, can only in the part of electronic credit public information 801, input information such as account No., user name, publisher's name.

(example 7)

Below, electronic billing system is described, as example 7 of the present invention.In this example 7, portable phone management multiple as electronic information the electronic bill (ev: electronic values a kind of) of bill (ticket), and the electronic credit (ev) that uses the user to select, and carry out ticket checking between the ticket-checked device and handle.

Figure 12 represents the structured flowchart of electronic billing system.Electronic billing system by the ticket-checked device 1203 of all portable phones 1201 of user, the center 1202 of bills company, the ticket checking that is arranged on the station or incident meeting-place inlet etc., connect and reach the network 1204 that is connected between ticket-checked device 1203 and the center 1202 between portable phone 1201 and the center 1202 and constitute.

Network 1204 is made of the cordless communication network and the Internet of portable phone, can communicate based on the radio communication of portable phone 1201 with center 1202, and can communicate based on the Internet of ticket-checked device 1203 with center 1202.Portable phone 1201 and center 1202 communicate by letter and the communicating by letter of ticket-checked device 1203 and center 1202 in, security socket layer) or the secret telephony phase (security session) of TLS (Transport Layer Security: transport layer is encrypted) etc. usually establish SSL (SecureSocket Layer:, transmit after the coded communication data.Portable phone 1201 uses local radio communication functions (radio communication of infrared communication, bluetooth, WLAN, contactless IC card etc.) with ticket-checked device 1203, comprehensively connects and communicates by letter.

Wallet application program with managing electronic credit (ev) downloads in the portable phone 1201 in advance.In addition, for the ticket checking corresponding to multiple bill is handled, to every kind of bill storing bill information, management is used to generate the master key (Km) of encryption key in center 1202 and ticket-checked device 1203 in ticket-checked device 1203, the part that this encryption key deciphering electronic credit (ev) is encrypted.

Figure 13 is the block diagram of the inner structure of expression ticket-checked device 1203.Ticket-checked device 1203 comprises: the portion of door mechanism 1311 of the baffle plate of switch door (flap); Detect the start sensor 1312 of user's access door and startup ticket-checked device 1203; Local radio communication I/F1313; LED1314; The control part 1310 of loudspeaker 1315 and these parts of control in control part 1310, except that the control circuit of direct control other parts, is also assembled security module 1300.

Local radio communication I/F1313 is the communication I/F of radio communication of infrared communication or bluetooth, WLAN, contactless IC card etc., comprehensively is connected in portable phone and communicates.

Security module 1300 be safety management master key (Km), and safety carry out the device that the electronic credit authentication processing is used, by TRM portion (Tamper Resistant Module: tamper-resist module) 1306 and flash memory portion 1307 constitute.TRM portion 1306 is made of CPU1301, ROM1302, RAM1303, EEPROM1304 and coprocessor 1305, has the anti-tamper function that prevents from the improper visit in outside.

Flash memory portion 1307 encrypts respectively and tabulation 1401 of store electrons billing information and ticket checking record information 1402 as shown in figure 14.Electronic bill information list 1401 is login tabulations about the electronic bill information of the corresponding kind of ticket-checked device, and ticket checking record information 1402 is record informations that electronic bill ticket checking that ticket-checked device carries out is handled.CPU1301 control coprocessor 1305 carries out the encryption and the deciphering of electronic bill information list 1401 and ticket checking record information 1402.Figure 14 is illustrated in situation about logining in the electronic bill information list 1401 about the information of 4 kinds of electronic bills (ev).In electronic bill information list 1401, a kind of electronic bill (ev) is logined bill kind, master key (Km), bills company's permit, negative tabulation respectively.

The bill kind is the identifying information of expression electronic bill (ev) kind, master key (Km) is the master key that is used for generating the encryption key of deciphering this electronic bill (ev) encryption section, bills company's permit is the permit of bills company of this electronic bill of distribution (ev), and negative tabulation is the tabulation of the note number (identifying information) of electronic bill (ev) invalid with regard to this electronic bill (ev).

Multimedia messagess such as acoustic information such as the effect sound of using in the time of also can handling in the electronic bill information list 1401 in addition, and image information to the ticket checking of every kind of electronic bill (ev) login electronic bill.For example, to the kind or the intrinsic acoustic information and the image information of bills company's login of this electronic bill (ev), finish the ticket checking processing from loudspeaker output effect sound, displays image information on LCD, thus, can conclusively show the electronic bill (ev) that has used this kind (or bills company).

Control visit by the CPU13016 of security module 1300 to canned data in the flash memory portion 1307, ticket-checked device 1203 is through the TRM of security module 1300 one 1306, ticket checking record information 1402 is write and reads, but electronic bill information list 1401 only can read, can not write.In addition, in electronic bill information list 1401, being controlled to master key (Km) can not read and can not write from ticket-checked device 1203.

In the electronic bill information list 1401, security module 1300 and middle the heart channel of Hang-Shaoyin ticket-checked device 1203 and network 1204 are established the communication session phase of encrypting, and upgrade in case of necessity.For example,, carry out appending or deleting of electronic bill information according to the practitioner of management ticket-checked device 1203 and the contract of bills company, in addition, in order to improve security, more new master key (Km) or negative tabulation.

Portable phone 1201 possesses local radio communication I/F, and the wallet application program of portable phone 1201 comprehensively is connected with ticket-checked device 1203 through local radio communication I/F, uses the electronic bill (ev) of wallet application program management to carry out electronic bill ticket checking processing.In addition, the wallet application program in this example also possesses the managing electronic credit of explanation in the example 6 and carries out the function that electronic credit is settled accounts.

In the storer (nonvolatile memory) of portable phone 1201, as shown in figure 15, storage wallet display message 1501, wallet acoustic information 1502, electronic credit tabulation 1503, electronic bill tabulation 1504 are as the information of wallet application program management.Wallet display message 1501 is that the wallet application program is shown in display message such as the image that uses in the picture in the portable phone or map information, wallet acoustic information 1502 is acoustic informations such as the effect sound used of wallet application program or melodic information, and electronic bill tabulation 1504 is tabulations of the electronic bill (ev) of wallet application program management.Electronic credit tabulation 1503 is the same with the electronic credit tabulation 704 of explanation in the example 2, omits explanation here.

Figure 15 represents the situation of 3 electronic bills of login (ev) in the electronic bill tabulation 1504.In the electronic bill tabulation 1504,1 electronic bill (ev) is logined comparable data, customer identification information (UID), electronic bill (ev), attribute respectively.The back describes comparable data and customer identification information (UID) in detail.

Attribute is the attribute information that electronic bill (ev) is set, for example, and the effect sound of using when order when setting the guide look of wallet application program demonstration electronic bill or electronic bill ticket checking are handled or the action of LED or Vib. etc.For example the user selectively carries out setting the order that shows electronic bill corresponding to usage frequency, respectively when wallet acoustic information 1502 is selected to be set in the electronic bill ticket checking and is finished dealing with or the sound of ticket checking output when handling failure, when the electronic bill ticket checking is finished dealing with, make the LED flicker, or when failure is handled in ticket checking, make the Vib. action.

Figure 16 represents the data structure of electronic bill (ev).Electronic bill is made of with information 1605 electronic bill public information 1601 and demonstration substantially.Security information 1600 is the information of using in the electronic bill authentication processing, is encrypted by the encryption key that generates according to master key (Km).In addition, show with display message such as information 1605 image that to be wallet application programs use when the screen displayed electronic bill or placement information, set of options.Therefore, by electronic bill (ev), have and hold and do not hold the information that shows with information 1605.

Electronic bill public information 1601 be record bill attribute information, valid period, publisher's name etc. relate to electronic bill, should be to the part of the disclosed information of user, the wallet application program is used this electronic bill public information 1601 when electronic bill is shown in picture.In the bill attribute information, but but except that the bill kind of expression electronic bill kind, the access times of access times of note number, the expression electronic bill ticket checking complement mark whether ticket checking is handled, expression electronic bill as the identifying information of each electronic bill, under the situation of for example event ticket, also comprise the attribute information that incident title or date, seat number, meeting field information etc. relate to this bill.

Security information 1600 also is made of with signature information 1604 electronic bill secret information 1602, value authentication information 1603.The back describes in detail and is worth authentication information 1603.

Electronic bill secret information 1602 be the Customer management information set of record bills company etc. relate to electronic bill may not be to the part of the disclosed information of user, be when the electronic bill ticket checking is handled, ticket-checked device 1203 clear crytpographic keys, the practitioner who manages ticket-checked device 1203 or the information that bills company uses in case of necessity.

Signature information 1604 is digital electronic signatures that bills company carries out the data of electronic bill secret information 1602 before linking electronic bill public information 1601 and encrypting and value authentication information 1603, be used for when the electronic bill ticket checking is handled, by ticket-checked device 1203 clear crytpographic keys, by checking digital electronic signature, the validity of checking electronic bill (ev).

Expectation signature information 1604 is based on the digital electronic signature public key encryption mode, that the sufficiently long key of key length generates on the safety in utilization, but also can be judgement, the data of electronic bill secret information 1602 before linking electronic bill public information 1601 and encrypting and value authentication information 1603 be carried out the result of hash operations by bills company.

Below, at first illustrate the user from the center 1202 steps of downloading electronic bills (ev).Figure 17 represents the download step of electronic bill (ev).At first, the user uses the access to the Internet function of portable phone 1201, visit center 1202, select the electronic bill of hope, in addition, carry out the operation (1700) of the electron gain bills such as settlement process provide a loan in case of necessity, if between portable phone 1201 and center 1202, obtain to handle (1701), then from the center 1202 to portable phone 1201 transmission navigation message (1702).Navigation message (1702) is to supervise portable phone 1201 to download the message of electronic bill (ev), comprises the transaction number (TN) of the electronic bill (ev) of identification download.

The portable phone 1201 that receives navigation message (1702) starts the wallet application program, show whether inquiry downloads the dialog box (1703) of electronic bill, if the user carries out electronic bill distribution solicit operation (1704), then show the value password that the input user sets corresponding to the electronic bill of downloading (ev) (VPW:＜U〉v＜/U alue＜U p＜/U ass＜U w＜/U ord) picture (1705).

If user's value of import password (1706), then portable phone 1201 will be worth the comparable data of hash operations Hash (VPW) the conduct as a result value password of password (VPW), be stored in the storer of portable phone 1201 (1707), and according to the transaction number (TN) and the moment (T), generate customer identification information UID=Hash (TN||T) (※ || expression data link) and be stored in (1708) in the storer, also according to being worth password (VPW) and customer identification information UID, generating value authentication information F (VPW)=Hash (VPW||UID) (1709) will comprise transaction number (TN) and send to center 1202 (1710) with the electronic bill distribution request that is worth authentication information F (VPW).At this moment, in comparable data Hash (VPW) and customer identification information UID=Hash (TN||T) the electronic bill tabulation 1504 on the storer of portable phone 1201, as the data that relate to newly downloaded electronic bill, be stored in respectively in the field of comparable data and customer identification information.

Receive the electronic bill (1711) of the center 1202 of electronic bill distribution request according to the contingent issue of securities of transaction number (TN), hash operations is worth authentication information F (VPW), after master key Km binding, carry out hash operations again, generate the encryption key Kt=Hash (Km||Hash (F (VPW))) (1712) of the common key cipher mode of encrypted electronic bill (ev).Center 1202 also generates the electronic bill public information and the electronic bill secret information of electronic bill (ev), and uses the value authentication information F (VPW) and encryption key Kt that receives, and generates the electronic bill (ev) (1713) with data structure shown in Figure 16.

The electronic bill (ev) that generates is sent to portable phone 1201 (1714), and electronic bill (ev) is stored in the storer of portable phone (1715), and portable phone 1201 shows to download finishes (1716), finishes the download process of electronic bill.At this moment, electronic bill (ev) is as new electronic bill, is stored in the electronic bill tabulation 1504 on the storer of portable phone 1201.In addition, attribute is set default property, in default setting, set the sound that uses when the electronic bill ticket checking is handled.

In addition, in the step (1706) of Figure 17, user's decision operation has precedence over the security that the electronic bill ticket checking is handled, under the situation of stated value password not, portable phone 1201 is not worth the hash operations of password (VPW) in step (1707), expression is set empty to the comparable data field of electronic credit tabulation 1504, and stated value password (VPW) not, in step (1709), hash operations customer identification information (UID), generating value authentication information F (VPW)=Hash (UID).

In addition, if stop the wallet application program, then from the storer of portable phone 1201, delete the value password (VPW) of user's input and be worth authentication information F (VPW).The comparable data that keeps in the storer of portable phone is the data after hash operations is worth password, even the hypothesis third party steals portable phone, and analyzes the content of inner storer, also needn't worry to know the value password.

Below, illustrate and use the electronic bill of downloading (ev) to carry out the step that the electronic bill ticket checking is handled.The step that Figure 18 represents to use the electronic bill ticket checking of electronic bill (ev) to handle.

At first, if the user holds the door that portable phone 1201 is invaded ticket-checked device 1203, then start sensor 1312 detects, and starts ticket-checked device 1203, and ticket-checked device 1203 generates random number R, as inquiry message (1800).This random number R 1 obtains from security module 1300, is actually that the CPU1301 of security module 1300 generates.In case the user starts wallet application program (1801), display menu picture (1802) then, if the user selects the electronic bill that uses by menu, and carry out electronic bill and use operation (1803), then show the picture (1804) of input corresponding to the value password of electronic bill.

If user's value of import password (VPW ') (1805), then portable phone 1201 calculates the hash data Hash that is worth passwords (VPW ') (VPW '), and contrast authenticated (1806) with the Hash (VPW) of comparable data of corresponding electronic bill in the electronic bill tabulation 1504.With the inconsistent situation of comparable data under, show wrong (record among the figure), under the situation consistent, receive electronic bills prompting requests (1807) from ticket-checked device 1203 with comparable data.In electronic bill prompting request, comprise random number R 1 and user terminal control information.The user terminal control information is the action information that time control system portable phone 1201 is handled in the electronic bill ticket checking, and setting bills company sets and undertaken by the practitioner of management ticket-checked device the pairing control information of environment of electronic bill ticket checking processing.Particularly, the user terminal control information is the control user information that could use the effect sound that is set at the electronic bill attribute, its level of sound volume, and the information of the action of control LED and Vib..By the user terminal control information, for example can wait quiet environment in classical music, because big noise is out of favour, the low degree that can discern to the user with the level of sound volume setting, perhaps, forbid the output of effect sound,, can represent clearly whether authentication processing fails to the user by the action of control LED and Vib..In addition, in the big environment of noises such as busy street, can be with sound volume setting very high, come clearly to represent whether success of authentication processing to the user.

Portable phone 1201 generates random number R 1 (1908), and the value password of use user input (VPW '), the authentication information of calculating value respectively F (VPW ')=Hash (VPW ' || UID), and be worth the hash data Hash (F (VPW ') of authentication information F (VPW ') and the binding of random number R 1 || R1), the hash data Hash of value authentication information (F (VPW ')) (1809), with Hash (F (VPW ') || R1), Hash (F (VPW ')) and the service terminal control information send with electronic bill (ev), as message (1810) to ticket-checked device 1203 prompting electronic bills.At this moment, do not send the part of the demonstration of electronic bill (ev) with information 1605.The information of ticket-checked device 1203 action usefulness was set the control information of the electronic bill attribute of setting based on the user when service terminal control information was control electronic bill ticket checking processing.For example, particularly, allow to use the effect sound of user's setting in the user terminal control information, when the attribute of electronic bill is set the electronic bill ticket checking and finished dealing with under the situation of the effect sound of output, the service terminal control information is the information of the electronic bill ticket checking of restriction ticket-checked device 1203 voice output when finishing dealing with.

Ticket-checked device 1203 at first verify the electronic bill (ev) that receives electronic bill public information 1601 content validity (but the ticket checking complement mark or valid period access times checking) after, with the electronic bill (ev) that receives, Hash (F (VPW ') || R1) and Hash (F (VPW ')) send to security module 1300, in security module 1300, carry out electronic bill (ev) and user's offline authentication.In the checking of the content validity of electronic bill public information 1601, detecting under the wrong situation, send error messages from ticket-checked device 1203 to portable phone 1201, stop the processing (record among the figure) that the electronic bill ticket checking is handled.

The field of the bill kind in the security module 1300 contrast electronic bill public informations 1601 and the bill kind of electronic bill information list 1401, use the information (master key (Km), bills company's permit) that relates to which kind of electronic bill in the electronic bill information list 1401 in the specific processing afterwards, also contrast the note number and negative tabulation of electronic bill (ev), checking electronic bill (ev) is not logined in negative tabulation (1811).

At this moment, in electronic bill information list 1401 not shown in the bill kind of the electronic bill (ev) that receives of login under the situation of the electronic bill of kind, or under the situation of the electronic bill that receives (ev) login in negative tabulation, security module 1300 returns mistake to ticket-checked device 1203, subsequently, send error message from ticket-checked device 1203 to portable phone 1201, stop the processing (not record among the figure) that the electronic bill ticket checking is handled.

Then, security module 1300 calculates the hash data Hash (F (VPW ') of the value authentication information that receives) with the binding hash data of master key Km, decruption key the Kt '=Hash of the common key cipher mode of the part of the security information 1600 of the sub-bill of generating solution cipher telegram (Km||Hash (F (VPW '))), and the security information 1600 (1812) of using coprocessor 1305 to decipher electronic bill.

Security module 1300 takes out from the security information 1600 after the deciphering and is worth authentication information 1603F (VPW), and the hash data Hash of the binding of calculating and random number R 1 (F (VPW) || R1), with the Hash that receives from portable phone 1201 (F (VPW ') || R1) contrast, under the situation of unanimity, authenticated is the proper owner (1813) of electronic bill.And security module 1300 uses the public-key cryptography in bills company's permit to verify the digital electronic signature shown in the signature information 1604 of the security information 1600 of utilizing coprocessor 1305 deciphering, and (1814) are not distorted or forge to checking electronic bill (ev).Hash (F (VPW) || R1) with Hash (F (VPW ') || R1) under the inconsistent situation, or in signature Information Authentication (1814), detect under the wrong situation, security module 1300 returns mistake, and send error messages to portable phone 1201 from ticket-checked device 1203, stop the processing (record among the figure) that the electronic bill ticket checking is handled.

In signature Information Authentication (1814), do not detect under the wrong situation, promptly verified under the situation of validity of electronic bill (ev), security module 1300 is a state after ticket checking is handled with the content alteration of electronic bill public information 1601 and electronic bill secret information 1602, and generates electronic bill after ticket checking is handled (ev ') (1815).For example this moment, set up the ticket checking complement mark, but reduce access times.Electronic bill after this ticket checking is handled (ev ') be to link electronic bill public information 1601, with encrypt before electronic bill secret information 1602 and the data that are worth authentication information 1603 result that carries out hash operations.

Then, the hash data Hash of security module 1300 generating value authentication information 1603F (VPW), random number R 1 and the binding of random number R 2 (F (VPW) || R1||R2) (1816) show that the offline authentication of electronic bill is finished.At this moment, ticket-checked device 1203 with Hash (F (VPW) || R1||R2) send, upgrade the message (1817) of electronic bills as request portable phone 1201 with electronic bill (ev ').Hash (F (VPW) || R1||R2) be in the security module 1300 of ticket-checked device 1203, login electronic bill (ev) if the electronic bill information master key Km information that then can not generate, become the information that portable phone 1201 is used to authenticate ticket-checked device 1203.

Portable phone 1201 calculating value authentication information F (VPW '), the hash data Hash of the binding of random number R 1 and random number R 2 (F (VPW ') || R1||R2), and with the Hash that receives (F (VPW ') || R1||R2) contrast, under the situation of unanimity, authentication ticket-checked device 1203 is electronic bill IR devices (1818) of logining electronic bill (ev) in security module 1300, the electronic bill (ev) of electronic bill tabulation 1504 is updated to electronic bill after the ticket checking that receives is handled (ev ') (1819), send the update notification (1820) that electronic bill has been upgraded in expression to ticket-checked device 1203, (1822) are finished in user's demonstration, finish the electronic bill ticket checking and handle.On the other hand, receive control part 1306 portions of control gate mechanism 1307 of the ticket-checked device 1203 of update notification, open the baffle plate of door, allow the user to pass through, finish the electronic bill ticket checking of ticket-checked device 1203 and handle (1821).

In addition, if ticket-checked device 1203 is finished the electronic bill ticket checking and is handled, then record information is logined in the ticket checking record information 1402 of security module 1300, and according to the information of login in the electronic bill information list 1401 and the service terminal control information that receives, the ticket checking of demonstration electronic bill is finished dealing with.For example, under the situation of login acoustic information, ticket-checked device 1203 these acoustic informations of output are as effect sound in electronic bill information list 1401, and in addition, under the situation to service terminal control information restriction voice output, ticket-checked device 1203 is the output effect sound not.

If portable phone 1201 is finished the electronic bill ticket checking and handled, then according to the attribute of the electronic bill that uses and the user terminal control information that receives, the ticket checking of demonstration electronic bill is finished dealing with.For example, the attribute of electronic bill is set the acoustic information of exporting when the electronic bill ticket checking is finished dealing with, and allow the user terminal control information to use the effect sound that attribute is set, under the situation of specifying level of sound volume, portable phone 1201 is with the level of sound volume output sound information of appointment, as effect sound, in addition, under the situation of forbidding the effect sound that user terminal control information use is set attribute, portable phone 1201 is the output effect sound not.In addition, portable phone 1201 too according to the attribute of the electronic bill that uses and the user terminal control information that receives, shows electronic bill ticket checking processing failure when the ticket checking of termination electronic bill is handled after ticket-checked device 1203 sends error message.

In addition, use in the operation (1803) at electronic bill, select the user under the situation of the electronic bill of stated value password not, do not carry out step (1804), the step (1805) of Figure 18, the processing of step (1806), portable phone 1201 receives electronic bill prompting request (1807) from ticket-checked device 1203, in the processing of step (1809), hash operations customer identification information (UID), calculating value authentication information (F (VPW '))=Hash (UID).

In addition, be not based on the digital electronic signature of public key encryption mode in the signature information 1604 of the electronic bill that receives (ev), but kind is to linking electronic bill public information 1601, with electronic bill secret information 1602 and be worth under hash operations result's the situation of electronic bill (ev) of data of authentication information 1603, in the processing of checking (1814) of signature information, the hash data of the data of the electronic bill public information 1601 of the electronic bill that calculating receives binding (ev) and the electronic bill secret information 1602 behind the clear crytpographic key and value authentication information 1603, contrast signature information 1604, checking electronic bill (ev) is not distorted or is forged.

In addition, under the situation that this electronic bill ticket checking is handled,, then from storer, delete the value password of user's input and be worth authentication information if also stop the wallet application program.In the data that between portable phone 1201 and ticket-checked device 1203, exchange, the data that are used for authentication processing all are to have carried out hash operations or ciphered data, therefore, eavesdrop communicating by letter between portable phone 1201 and the ticket-checked device 1203 even suppose the third party, also can't use the data that intercept to pretend to be.

Below, illustrate and use the electronic bill of downloading (ev) to carry out the another step that the electronic bill ticket checking is handled.The another step that Figure 19 represents to use in this example the electronic bill ticket checking of electronic bill (ev) to handle, in step shown in Figure 180, initial user initiates self the wallet application program, but in step shown in Figure 19, start the wallet application program according to the message that receives from ticket-checked device 1203.

At first, if the user holds the door that portable phone 1201 is invaded ticket-checked device 1203, then start sensor 1312 detects, and starts ticket-checked device 1203, and ticket-checked device 1203 generates random number R, as inquiry message (1900).This random number R 1 obtains from security module 1300, is actually that the CPU1301 of security module 1300 generates.In case the user carries out receiving from ticket-checked device 1203 operation (1901) of message, then portable phone 1201 receives electronic bill prompting request (1902) from ticket-checked device 1203.In electronic bill prompting request, comprise bill kind, random number R 1 and user terminal control information.The bill kind is the bill kind tabulation of the electronic bill of login in the electronic bill information list 1401, but is the electronic bill kinds of information that 1203 ticket checking of expression ticket-checked device are handled.

In the portable phone 1201 that receives electronic bill prompting request, start the wallet application program, show whether inquiring user uses the dialog box (1903) of electronic bill.At this moment, bill kind that portable phone 1201 contrasts receive and electronic bill tabulation 1504, the electronic bill that the prompting user is handled by ticket-checked device 1203 ticket checking.Results of comparison exists under the situation of a plurality of corresponding electronic bills in electronic bill tabulation 1504, shows its guide look, under the situation that does not have corresponding electronic bill, shows do not have corresponding electronic bill (not record among the figure) to the user.

If the electronic bill that the user selects to use carries out electronic bill use operation (1904), then show the picture (1905) of input corresponding to the value password of electronic bill.If user's value of import password (VPW ') (1906), then portable phone 1201 calculates the hash data Hash that is worth passwords (VPW ') (VPW '), and contrast authenticated (1907) with the Hash (VPW) of comparable data of corresponding electronic bill in the electronic bill tabulation 1504.With the inconsistent situation of comparable data under, show wrong (not record among the figure), under the situation consistent with comparable data, portable phone 1201 generates random number R 2 (1908), and the value password of use user input (VPW '), the authentication information of calculating value respectively F (VPW ')=Hash (VPW ' || UID), and be worth the hash data Hash (F (VPW ') of authentication information F (VPW ') and the binding of random number R 1 || R1), the hash data Hash of value authentication information (F (VPW ')) (1909), with Hash (F (VPW ') || R1), Hash (F (VPW ')) and the service terminal control information send with electronic bill (ev), as message (1910) to ticket-checked device 1203 prompting electronic bills.At this moment, do not send the part of the demonstration of electronic bill (ev) with information 1605.

Ticket-checked device 1203 at first verify the electronic bill (ev) that receives electronic bill public information 1601 content validity (but the ticket checking complement mark or valid period access times checking) after, with the electronic bill (ev) that receives, Hash (F (VPW ') || R1) and Hash (F (VPW ')) send to security module 1300, in security module 1300, carry out electronic bill (ev) and user's offline authentication.In the checking of the content validity of electronic bill public information 1601, detecting under the wrong situation, send error messages from ticket-checked device 1203 to portable phone 1201, stop the processing (record among the figure) that the electronic bill ticket checking is handled.

The field of the bill kind in the security module 1300 contrast electronic bill public informations 1601 and the bill kind of electronic bill information list 1401, use the information (master key (Km), bills company's permit) that relates to which kind of electronic bill in the electronic bill information list 1401 in the specific processing afterwards, also contrast the note number and negative tabulation of electronic bill (ev), checking electronic bill (ev) is not logined in negative tabulation (1911).

At this moment, in electronic bill information list 1401 not shown in the bill kind of the electronic bill (ev) that receives of login under the situation of the electronic bill of kind, or under the situation of the electronic bill that receives (ev) login in negative tabulation, security module 1300 returns mistake to ticket-checked device 1203, subsequently, send error message from ticket-checked device 1203 to portable phone 1201, stop the processing (not record among the figure) that the electronic bill ticket checking is handled.

Then, security module 1300 calculates the hash data Hash (F (VPW ') of the value authentication information that receives) with the binding hash data of master key Km, decruption key the Kt '=Hash of the common key cipher mode of the part of the security information 1600 of the sub-bill of generating solution cipher telegram (Km||Hash (F (VPW '))), and the security information 1600 (1912) of using coprocessor 1305 to decipher electronic bill.

Security module 1300 takes out from the security information 1600 after the deciphering and is worth authentication information 1603F (VPW), and the hash data Hash of the binding of calculating and random number R 1 (F (VPW) || R1), with the Hash that receives from portable phone 1201 (F (VPW ') || R1) contrast, under the situation of unanimity, authenticated is the proper owner (1913) of electronic bill.And security module 1300 uses the public-key cryptography in bills company's permit to verify the digital electronic signature shown in the signature information 1604 of the security information 1600 of utilizing coprocessor 1305 deciphering, and (1914) are not distorted or forge to checking electronic bill (ev).Hash (F (VPW) || R1) with Hash (F (VPW ') || R1) under the inconsistent situation, or in signature Information Authentication (1914), detect under the wrong situation, security module 1300 returns mistake, and send error messages to portable phone 1201 from ticket-checked device 1203, stop the processing (record among the figure) that the electronic bill ticket checking is handled.

In signature Information Authentication (1914), do not detect under the wrong situation, promptly verified under the situation of validity of electronic bill (ev), security module 1300 is a state after ticket checking is handled with the content alteration of electronic bill public information 1601 and electronic bill secret information 1602, and generates electronic bill after ticket checking is handled (ev ') (1915).For example this moment, set up the ticket checking complement mark, but reduce access times.Electronic bill after this ticket checking is handled (ev ') be to link electronic bill public information 1601, with encrypt before electronic bill secret information 1602 and the data that are worth authentication information 1603 result that carries out hash operations.

Then, the hash data Hash of security module 1300 generating value authentication information 1603F (VPW), random number R 1 and the binding of random number R 2 (F (VPW) || R1||R2) (1916) show that the offline authentication of electronic bill is finished.At this moment, ticket-checked device 1203 with Hash (F (VPW) || R1||R2) send, upgrade the message (1917) of electronic bills as request portable phone 1201 with electronic bill (ev ').Hash (F (VPW) || R1||R2) be in the security module 1300 of ticket-checked device 1203, login electronic bill (ev) if the electronic bill information master key Km information that then can not generate, become the information that portable phone 1201 is used to authenticate ticket-checked device 1203.

Portable phone 1201 calculating value authentication information F (VPW '), the hash data Hash of the binding of random number R 1 and random number R 2 (F (VPW ') || R1||R2), and with the Hash that receives (F (VPW ') || R1||R2) contrast, under the situation of unanimity, authentication ticket-checked device 1203 is electronic bill IR devices (1918) of logining electronic bill (ev) in security module 1300, the electronic bill (ev) of electronic bill tabulation 1504 is updated to electronic bill after the ticket checking that receives is handled (ev ') (1919), send the update notification (1920) that electronic bill has been upgraded in expression to ticket-checked device 1203, (1922) are finished in user's demonstration, finish the electronic bill ticket checking and handle.On the other hand, receive control part 1306 portions of control gate mechanism 1307 of the ticket-checked device 1203 of update notification, open the baffle plate of door, allow the user to pass through, finish the electronic bill ticket checking of ticket-checked device 1203 and handle (1921).

In addition, if ticket-checked device 1203 is finished the electronic bill ticket checking and is handled, then record information is logined in the ticket checking record information 1402 of security module 1300, and according to the information of login in the electronic bill information list 1401 and the service terminal control information that receives, the ticket checking of demonstration electronic bill is finished dealing with.For example, under the situation of login acoustic information, ticket-checked device 1203 these acoustic informations of output are as effect sound in electronic bill information list 1401, and in addition, under the situation to service terminal control information restriction voice output, ticket-checked device 1203 is the output effect sound not.

If portable phone 1201 is finished the electronic bill ticket checking and handled, then according to the attribute of the electronic bill that uses and the user terminal control information that receives, the ticket checking of demonstration electronic bill is finished dealing with.For example, the attribute of electronic bill is set the acoustic information of exporting when the electronic bill ticket checking is finished dealing with, and allow the user terminal control information to use the effect sound that attribute is set, under the situation of specifying level of sound volume, portable phone 1201 is with the level of sound volume output sound information of appointment, as effect sound, in addition, under the situation of forbidding the effect sound that user terminal control information use is set attribute, portable phone 1201 is the output effect sound not.In addition, portable phone 1201 too according to the attribute of the electronic bill that uses and the user terminal control information that receives, shows electronic bill ticket checking processing failure when the ticket checking of termination electronic bill is handled after ticket-checked device 1203 sends error message.

In addition, use in the operation (1903) at electronic bill, select the user under the situation of the electronic bill of stated value password not, do not carry out step (1905), the step (1906) of Figure 19, the processing of step (1907), portable phone 1201 advances to the processing of step (1908), and in the processing of step (1909), hash operations customer identification information (UID), calculating value authentication information (F (VPW '))=Hash (UID).

In addition, be not based on the digital electronic signature of public key encryption mode in the signature information 1604 of the electronic bill that receives (ev), but kind is to linking electronic bill public information 1601, with electronic bill secret information 1602 and be worth under hash operations result's the situation of electronic bill (ev) of data of authentication information 1603, in the processing of checking (1914) of signature information, the hash data of the data of the electronic bill public information 1601 of the electronic bill that calculating receives binding (ev) and the electronic bill secret information 1602 behind the clear crytpographic key and value authentication information 1603, contrast signature information 1604, checking electronic bill (ev) is not distorted or is forged.

In addition, under the situation that this electronic bill ticket checking is handled,, then from storer, delete the value password of user's input and be worth authentication information if also stop the wallet application program.In the data that between portable phone 1201 and ticket-checked device 1203, exchange, the data that are used for authentication processing all are to have carried out hash operations or ciphered data, therefore, eavesdrop communicating by letter between portable phone 1201 and the ticket-checked device 1203 even suppose the third party, also can't use the data that intercept to pretend to be.

In the above explanation of this example 7, though described electronic billing system, but, also same certification authority can be used for the authentication processing of other electronic values such as electronics through ticket system or electronic-monetary system by the electronic bill public information 1601 of change electronic bill and the partial content of electronic bill secret information 1602.For example, under the situation of electronics through ticket system, can be only in the part of electronic bill public information 1601 input relate to the information of the service that discount rate etc. provides by through ticket, in addition, under the situation of electronic-monetary system, also can in the part of electronic bill public information 1601, import the information of expression electronic money remaining sum, but replace access times, when ticket checking was handled, ticket-checked device deducted and utilizes the amount of money.

(example 8)

Below, the electronic key system of traffic use is described, as example 8 of the present invention.In this example 8, the multiple electronic key of portable phone management (ev: electronic values a kind of), and the electronic key (ev) that uses the user to select as the key behind the electronic information, and carry out authentication processing between the locking device.

Figure 20 represents the structured flowchart of electronic key system.Electronic key system by the center 2002 of the management company of equipment such as the facility on all portable phones 2001 of user, managerial meeting chamber or rally ground etc. or taxi, be installed in the locking device 2003 on the door etc. of meeting room or automobile and be connected the network 2004 at portable phone 2001 and center 2002.Electronic key system according to this example, the user 2002 downloads to portable phone 2001 with key as electronic key (ev) from the center, can open or close locking device 2003, because do not produce the key handing-over of physics, so the user needn't arrive the place of managing keys and reach key, in addition, because management-side also needn't be provided with the practitioner of handing-over key, so can realize professional efficient activity.

Network 2004 is made of the cordless communication network and the Internet of portable phone, can communicate based on the radio communication of portable phone 2001 with center 2002.In the communicating by letter of portable phone 2001 and center 2002, security socket layer) or the secret telephony phase (security session) of TLS (Transport Layer Security: transport layer is encrypted) etc. usually establish SSL (Secure Socket Layer:, transmit after the coded communication data.

Portable phone 2001 uses local radio communication functions (radio communication of infrared communication, bluetooth, WLAN, contactless IC card etc.) with locking device 2003, comprehensively connects and communicates by letter.Wallet application program with managing electronic key (ev) downloads in the portable phone 2001 in advance.In addition, in center 2002 and locking device 2003, manage the master key (Km) of the encryption key that is used for generating solution cipher telegram sub-key (ev) encryption section.Expect that from safety master key (Km) is all different to each locking device 2003, but also can in the unit of the locking device 2003 of right quantity, use identical master key (Km).Center 2002 management are used which master key (Km) to each locking device 2003.

Figure 21 is the block diagram of the inner structure of expression locking device 2003.Locking device 2003 comprises: the latch mechanism portion 2111 of physical switch lock; Detect the start sensor 2112 of user's operation and startup locking device 2003; Local radio communication I/F2113; The LED2114 of the state of expression locking device 2003; The control part 2110 of gauge tap 2115 and these parts of control in control part 2110, except that the control circuit of direct control other parts, is also assembled security module 2100.Local radio communication I/F2113 is the communication I/F of radio communication of infrared communication or bluetooth, WLAN, contactless IC card etc., comprehensively is connected in portable phone and communicates.

Security module 2100 is safety management master keys (Km), also safety is carried out the device that the electronic key authentication processing is used, security module 2100 is made of CPU2101, ROM2102, RAM2103, EEPROM2104 and coprocessor 2105, has the anti-tamper function that prevents from the improper visit in outside.

Storage lock ID, master key (Km), management company's public-key cryptography among the EEPROM2104.Lock ID is the identifying information of locking device 2003, master key (Km) is the master key of encryption key that is used to generate electronic key (ev) encryption section of deciphering locking device 2003, and management company's public-key cryptography is the public-key cryptography of management company of the electronic key (ev) of distribution locking device 2003.

CPU2101 control can be read lock ID and management company's public-key cryptography from other control circuit of control part 2110, but can not rewrite the visit of canned data among the EEPROM2104 of security module 2100.In addition, can not read and to control master key (Km) with writing.

Portable phone 2001 possesses local radio communication I/F, and the wallet application program of portable phone 2001 comprehensively is connected with locking device 2003 through local radio communication I/F, and the electronic key (ev) of use wallet application program management carries out the authentication processing of electronic key.In addition, the wallet application program in this example 8 also possesses in the management implementation form 2 electronic bill of explanation in the electronic credit of explanation and the example 3 and carries out the electronic credit clearing or function that the electronic bill ticket checking is handled.

In the storer (nonvolatile memory) of portable phone 2001, as shown in figure 22, storage wallet display message 2201, wallet acoustic information 2202, electronic credit tabulation 2203, electronic bill tabulation 2204, electronic key tabulation 2205 are as the information of wallet application program management.Wallet display message 2201 is that the wallet application program is shown in display message such as the image that uses in the picture in the portable phone or map information, wallet acoustic information 2202 is acoustic informations such as the effect sound used of wallet application program or melodic information, and electronic key tabulation 2205 is tabulations of the electronic key (ev) of wallet application program management.Electronic credit tabulation 2203 is the same with the electronic credit tabulation 703 of explanation in the example 2, and in addition, electronic bill tabulation 2204 is the same with the electronic bill tabulation 1504 of explanation in the example 3, omits explanation here.

Figure 22 represents the situation of 3 electronic keys of login (ev) in the electronic key tabulation 2205.In the electronic key tabulation 2205,1 electronic key (ev) is logined comparable data, customer identification information (UID), electronic key (ev), attribute respectively.The back describes comparable data and customer identification information (UID) in detail.

Attribute is the attribute information that electronic key (ev) is set, for example, and the effect sound of using when order when setting the guide look of wallet application program demonstration electronic key or electronic key authentication processing or the action of LED or Vib. etc.For example the user selectively carries out setting the order that shows electronic key corresponding to usage frequency, the sound of output when wallet acoustic information 2202 is selected to be set in the electronic key authentication processing and finished or during the authentication processing failure respectively, when the electronic key authentication processing is finished, make the LED flicker, or when authentication processing is failed, make the Vib. action.

Figure 23 represents the data structure of electronic key (ev).Electronic key is made of with information 2305 electronic key public information 2301, security information 2300 and demonstration substantially.Security information 2300 is the information of using in the electronic key authentication processing, is encrypted by the encryption key that generates according to master key (Km).In addition, show with information 2305 display message such as image information that to be wallet application programs use when the screen displayed electronic key, set of options.Therefore, by electronic key (ev), have to hold and do not hold to show with information 2305.For example, under the situation of the electronic key of meeting room, with information settings such as the map in expression meeting room place or sketches for showing the information of using.

Electronic key public information 2301 be record key title, key ID, lock ID, valid period, publisher's name etc. relate to electronic key, should be to the part of the disclosed information of user, the wallet application program is used this electronic key public information 2301 when electronic key is shown in picture.

Security information 2300 also is made of with signature information 2304 electronic key secret information 2302, value authentication information 2303.The back describes in detail and is worth authentication information 2303.

Electronic key secret information 2302 be the Customer management information set of the management company of record management locking device 2003 etc. relate to electronic key may not be to the part of the disclosed information of user, be when the electronic key authentication processing, the information used in case of necessity of locking device 2003 clear crytpographic keys, management company.

Signature information 2304 is digital electronic signatures that management company carries out the data of electronic key secret information 2302 before linking electronic key public information 2301 and encrypting and value authentication information 2303, be used for when the electronic key authentication processing, by locking device 2003 clear crytpographic keys, by checking digital electronic signature, the validity of checking electronic key (ev).

Expectation signature information 2304 is based on the digital electronic signature public key encryption mode, that the sufficiently long key of key length generates on the safety in utilization, but also can be judgement, the data of electronic key secret information 2302 before linking electronic key public information 2301 and encrypting and value authentication information 2303 be carried out the result of hash operations by management company.

Below, illustrate that at first the user 2002 downloads to the step of portable phone 2001 with electronic bill (ev) from the center.Figure 24 represents the download step of electronic bill (ev).At first, the user uses the access to the Internet function of portable phone 2001, visit center 2002, the facility of preset conference chamber etc. or taxi etc., in addition, carry out the operation (2400) of the electron gain keys such as settlement process provide a loan in case of necessity, if between portable phone 2001 and center 2002, obtain to handle (2401), then from the center 2002 to portable phone 2001 transmission navigation message (2402).Navigation message (2402) is to supervise portable phone 2001 to download the message of electronic key (ev), comprises the transaction number (TN) of the electronic key (ev) of identification download.

The portable phone 2001 that receives navigation message (2402) starts the wallet application program, show whether inquiry downloads the dialog box (2403) of electronic key, if the user carries out electronic key distribution solicit operation (2404), then show the value password that the input user sets corresponding to the electronic key of downloading (ev) (VPW:＜U〉v＜/U alue＜U p＜/U ass＜U w＜/U ord) picture (2405).

If user's value of import password (2406), then portable phone 2001 will be worth the comparable data of hash operations Hash (VPW) the conduct as a result value password of password (VPW), be stored in the storer of portable phone 2001 (2407), and according to the transaction number (TN) and the moment (T), generate customer identification information UID=Hash (TN||T) (※ || expression data link) and be stored in (2408) in the storer, also according to being worth password (VPW) and customer identification information (UID), generating value authentication information F (VPW)=Hash (VPW||UID) (2409) will comprise transaction number (TN) and send to center 2002 (2410) with the electronic key distribution request that is worth authentication information F (VPW).At this moment, in comparable data Hash (VPW) and customer identification information UID=Hash (TN||T) the electronic key tabulation 2204 on the storer of portable phone 2001, as the data that relate to newly downloaded electronic key, be stored in respectively in the field of comparable data and customer identification information.

Receive the electronic key (2411) of the center 2002 of electronic key distribution request according to the contingent issue of securities of transaction number (TN), hash operations is worth authentication information F (VPW), after master key Km binding, carry out hash operations again, generate the encryption key Kk=Hash (Km||Hash (F (VPW))) (2412) of the common key cipher mode of encrypted electronic key (ev).Center 2002 also generates the electronic key public information and the electronic key secret information of electronic key (ev), and uses the value authentication information F (VPW) and encryption key Kt that receives, and generates the electronic key (ev) (2413) with data structure shown in Figure 23.At this moment, the validity of electronic key (ev) is set the valid period of the content of appointment in handling based on the input of step (2401).For example, under the situation of the electronic key (ev) of meeting room, the valid period of electronic key (ev) is set valid period based on the time band of preset conference chamber.

The electronic key (ev) that generates is sent to portable phone 2001 (2414), and electronic key (ev) is stored in the storer of portable phone (2415), and portable phone 2001 shows to download finishes (2416), finishes the download process of electronic key.At this moment, electronic key (ev) is as new electronic key, is stored in the electronic key tabulation 2204 on the storer of portable phone 2001.In addition, attribute is set default property, in default setting, the sound that uses when setting the electronic key authentication processing.

In addition, in the step (2406) of Figure 24, user's decision operation has precedence over the security of electronic key authentication processing, under the situation of stated value password not, portable phone 2001 is not worth the hash operations of password (VPW) in step (2407), expression is set empty to the comparable data field of electronic key tabulation 2204, and stated value password (VPW) not, in step (2409), hash operations customer identification information (UID), generating value authentication information F (VPW)=Hash (UID).

In addition, if stop the wallet application program, then from the storer of portable phone 2001, delete the value password (VPW) of user's input and be worth authentication information F (VPW).The comparable data that keeps in the storer of portable phone is the data after hash operations is worth password, even the hypothesis third party steals portable phone, and analyzes the content of inner storer, also needn't worry to know the value password.

Below, the electronic key of use downloading (ev) is described, and locking device 2003 between carry out authentication processing, open the step of (or closing) locking device 2003.Figure 25 represents to use in this example the step of the authentication processing of electronic key (ev).

At first, if the user carries out the operation (2500) of startup locking devices 2003 such as the hand steered door handle that locking device 2003 has been installed, then the start sensor 2112 of locking device 2003 detects, and starts locking device 2003, locking device 2003 generates random number R, as inquiry message (2501).This random number R obtains from security module 2100, is actually that the CPU2101 of security module 2100 generates.In case the user carries out receiving from locking device 2003 operation (2502) of message, then portable phone 2001 receives electronic key prompting request (2503) from locking device 2003.In electronic key prompting request, comprise lock ID and random number R.

The portable phone 2001 that receives electronic key prompting request starts the wallet application program, shows whether inquiring user uses the dialog box (2504) of electronic key.At this moment, lock ID that portable phone 2001 contrasts receive and electronic key tabulation 2205 are to the electronic key of user prompt locking device 2003.Under the situation of electronic key that is not correspondence, show it is not corresponding electronic key (figure is record) to the user.

Use operation (2505) if the user carries out electronic key, then show the picture (2506) of input corresponding to the value password of electronic key.If user's value of import password (VPW ') (2507), then portable phone 2001 calculates the hash data Hash that is worth passwords (VPW ') (VPW '), and contrast authenticated (2508) with the Hash (VPW) of comparable data of corresponding electronic key in the electronic key tabulation 2204.With the inconsistent situation of comparable data under, show wrong (not record among the figure), under the situation consistent with comparable data, the value password of portable phone 2001 use user inputs (VPW '), the authentication information of calculating value respectively F (VPW ')=Hash (VPW ' || UID), and be worth the hash data Hash (F (VPW ') of authentication information F (VPW ') and the binding of random number R || R), the hash data Hash of value authentication information (F (VPW ')) (2509), with Hash (F (VPW ') || R) and Hash (F (VPW ')) send with electronic key (ev), as message (2510) to locking device 2003 prompting electronic keys.At this moment, do not send the part of the demonstration of electronic key (ev) with information 2305.

After locking device 2003 is at first verified the validity (lock ID and the checking of valid period) of content of electronic key public information 2301 of the electronic key (ev) that receives, with the electronic bill (ev) that receives, Hash (F (VPW ') || R) and Hash (F (VPW ')) send to security module 2100, in security module 2100, carry out electronic key (ev) and user's offline authentication.In the checking (lock ID and the checking of valid period) of the content validity of electronic key public information 2301, detecting under the wrong situation, send error message from locking device 2003 to portable phone 2001, stop the authentication processing (not record among the figure) of electronic key.That is, because can not use electronic key (ev) automatically, so needn't the return electron key after using above valid period.

Security module 2100 calculates the hash data Hash (F (VPW ') of the value authentication information that receives) with the binding hash data of master key Km, decruption key the Kk '=Hash of the common key cipher mode of the part of the security information 2300 of generating solution cipher telegram sub-key (Km||Hash (F (VPW '))), and the security information 2300 (2511) of using coprocessor 2105 to decipher electronic key.

Security module 2100 takes out from the security information 2300 after the deciphering and is worth authentication information 2303F (VPW), and the hash data Hash of the binding of calculating and random number R (F (VPW) || R), with the Hash that receives from portable phone 2001 (F (VPW ') || R) contrast, under the situation of unanimity, authenticated is the proper owner (2512) of electronic key.And security module 2100 use and management company public-key cryptography are verified the digital electronic signature shown in the signature information 2304 of the security information 2300 of utilizing coprocessor 2105 deciphering, and (2513) are not distorted or forge to checking electronic key (ev).Hash (F (VPW) || R) with Hash (F (VPW ') || R) under the inconsistent situation, or in signature Information Authentication (2513), detect under the wrong situation, security module 2100 returns mistake to locking device 2003, and send error messages to portable phone 2001 from locking device 2003, stop electronic key authentication processing (record among the figure).

In signature Information Authentication (2513), do not detect under the wrong situation, promptly verified under the situation of validity of electronic key (ev), security module 2100 is finished to locking device 2003 demonstration offline authentication, locking device 2003 sends authentication result (2514) to portable phone 2001, finish authentication processing, the portable phone 2001 that receives authentication result shows finishes (2516), finishes the authentication processing of electronic key.

In addition, control part 2106 portions of control lock mechanism 2107 of locking device 2003 open the locking of (or closing) locking device 2103, and finish the electronic key authentication processing (2515) of locking device 2103.

If portable phone 2001 is finished the electronic key authentication processing, then according to the attribute of the electronic key that uses, the demonstration authentication processing is finished.In addition, portable phone 2001 too according to the attribute of the electronic key that uses, shows the authentication processing failure of electronic key when stopping the electronic key authentication processing after locking device 2003 sends error message.

In addition, use in the operation (2505) at electronic key, select the user under the situation of the electronic key of stated value password not, do not carry out step (2506), the step (2507) of Figure 25, the processing of step (2508), portable phone 2001 advances to the processing of step (2509), hash operations customer identification information (UID), calculating value authentication information (F (VPW '))=Hash (UID).

In addition, be not based on the digital electronic signature of public key encryption mode in the signature information 2304 of the electronic bill that receives (ev), but kind is to linking electronic key public information 2301, with electronic key secret information 2302 and be worth under hash operations result's the situation of electronic key (ev) of data of authentication information 2303, in the processing of checking (2513) of signature information, the hash data of the data of the electronic key public information 2301 of the electronic key that calculating receives binding (ev) and the electronic key secret information 2302 behind the clear crytpographic key and value authentication information 2303, contrast signature information 2304, checking electronic key (ev) is not distorted or is forged.

In addition, under the situation of the authentication processing of this electronic key, if also stop the wallet application program, then from storer the value password of deletion user input be worth authentication information.In the data that between portable phone 2001 and locking device 2003, exchange, the data that are used for authentication processing all are to have carried out hash operations or ciphered data, therefore, eavesdrop communicating by letter between portable phone 2001 and the locking device 2003 even suppose the third party, also can't use the data that intercept to pretend to be.

(example 9)

Below, the electronic key system of family's purposes is described, as example 9 of the present invention.In this example 9, locking device as the electronic key of the key behind the electronic information (ev: electronic values a kind of), and uses this electronic key (ev) to portable phone distribution, by carry out authentication processing between portable phone and locking device, opens or closes lock.

The functional block structure of this electronic key system situation with example 4 basically is the same, and Figure 20 represents the structured flowchart of this electronic key system.Electronic key system is by all portable phones 2001 of user, center 2002, locking device 2003 and be connected the network 2004 at portable phone 2001 and center 2002.Wherein, because locking device 2003 is family's usefulness, thus be installed on the door, or install after user's purchase.In addition, center 2002 is center fixtures of making or sell the practitioner of locking device 2003 or practitioner's operation of the wallet application program that downloads to portable phone 2001 being provided.In this electronic key system, center 2002 is used for the wallet application program of managing electronic key (ev) is downloaded to portable phone 2001, in advance the wallet application program being loaded or downloaded under the situation of portable phone 2001, does not need center 2002.

According to the electronic key system of this example 9, can come electronic key (ev) by user's management to a plurality of portable phone 2001 distribution lock phones 2003, in addition, can carry out the ineffective treatment of electronic key (ev).Therefore, a plurality of users can have the key of share to a locking device 2003, or respectively ineffective treatment this share key.In the former key, losing key or do not returning under the situation of share key, for safety, essential exchange locking device, but according to this electronic key system, even lose the portable phone 2001 of store electrons key (ev) or do not return electronic key (ev) to friend's portable phone distribution, also can be in locking device 2003 sides invalid and change electronic key (ev), to portable phone 2001 distribution electronic keys (ev), can improve user's convenience afterwards.

Network 2004 is made of the cordless communication network and the Internet of portable phone, can communicate based on the radio communication of portable phone 2001 with center 2002.In the communicating by letter of portable phone 2001 and center 2002, security socket layer) or the secret telephony phase (security session) of TLS (Transport Layer Security: transport layer is encrypted) etc. usually establish SSL (Secure Socket Layer:, transmit after the coded communication data.

Portable phone 2001 uses local radio communication functions (radio communication of infrared communication, bluetooth, WLAN, contactless IC card etc.) with locking device 2003, comprehensively connects and communicates by letter.

On portable phone 2001, load the wallet application program of managing electronic key (ev).As the wallet application program, both can be the general wallet application program that the user downloads to portable phone 2001 in advance, also can be the special-purpose wallet application programs of buying user's 2002 downloads of locking device 2003 from the center.The user that locking device 2003 describe in detail to be bought in the back 2002 downloads to the step of portable phone 2001 with the wallet application program from the center.

Management wallet application program in center 2002, in addition, in locking device 2003, the lock number (LN) of the master key (Km) of the encryption key of management deciphering electronic key (ev) encryption section, the Verification Number during as the lock ID of the identifying information of locking device 2003 with as locking device 2003 distribution electronic keys (ev) etc.

The inner structure of the locking device 2003 of this electronic key system situation with example 8 basically is identical, and Figure 21 is the block diagram of the inner structure of expression locking device 2003.Locking device 2003 comprises: the latch mechanism portion 2111 of physical switch lock; Detect the start sensor 2112 of user's operation and startup locking device 2003; Local radio communication I/F2113; The LED2114 of the state of expression locking device 2003; The control part 2110 of gauge tap 2115 and these parts of control in control part 2110, except that the control circuit of direct control other parts, is also assembled security module 2100.For to be installed under the situation of the type on the door, in order to prevent the mischief from the outside, expectation gauge tap 2115 is positioned at the inboard of door at locking device 2003.

Local radio communication I/F2113 is the communication I/F of radio communication of infrared communication or bluetooth, WLAN, contactless IC card etc., comprehensively is connected in portable phone and communicates.

Security module 2100 is safety management master keys (Km), also safety is carried out the device that the electronic key authentication processing is used, security module 2100 is made of CPU2101, ROM2102, RAM2103, EEPROM2104 and coprocessor 2105, has the anti-tamper function that prevents from the improper visit in outside.

As shown in figure 26, storage lock ID2601, lock number (LN) 2602, wallet application program URL2603, master key (Km) 2604 and key ID tabulation 2605 among the EEPROM2104.Lock ID2601 is the identifying information of locking device 2003, lock number (LN) the 2602nd, the Verification Number that authenticated is used during locking device 2003 distribution electronic keys (ev), wallet application program URL2603, be the URL (UniformResource Locator) of the special-purpose wallet application program of locking device 2003, master key (Km) the 2604th, the master key of encryption key of electronic key (ev) encryption section of deciphering locking device 2003, key ID tabulation 2605 is tabulations of key ID (identifying information) of the current effective electronic key (ev) of locking device 2003 distribution.

Lock number (LN) the 2602nd, the number of setting when making locking device 2003 is only to have the number that the user of locking device 2003 must know.Therefore, when selling locking device 2003, sell with form that cannot see lock number (LN).For example, take following method: the user buys locking device 2003, by scraping off subsidiary swipe, makes the user know lock number (LN) at first.

In addition, CPU2101 control can be read lock ID2601 and wallet application program URL2603 from other control circuit of control part 2110, but can not rewrite the visit of canned data among the EEPROM2104 of security module 2100.In addition, can not read and to write lock number (LN) 2602.Master key (though Km.2604 can not read or rewrite, can be updated to new master key (Km) behind the regenerating key of the inside of security module 2100.In addition, though key ID tabulation 2605 can not read and rewrite, controlled when being formed in each deletion key ID and distribution electronic key, append key ID again.

The state of the locking device 2003 that LED2115 represents is confirmed on the user limit, and limit operation-control switch 2115 carries out the renewal of master key (Km) or the deletion of key ID.Under the situation of new master key (Km) more, deletion key ID tabulation 2605.

The wallet of portable phone 2001 (wallet) application program is except that possessing from the function of locking device 2003 electron gain keys (ev), the same with the portable phone 2001 of explanation in the example 8, possesses local radio communication I/F, the wallet application program of portable phone 2001 comprehensively is connected with locking device 2003 through local radio communication I/F, and the electronic key (ev) of use wallet application program management carries out the authentication processing of electronic key.Therefore, the wallet application program goes up information of managing at the storer (nonvolatile memory) of portable phone 2001 and omits explanation here.

In addition, also the situation with example 8 is the same basically for the data structure of electronic key (ev), and Figure 23 represents the data structure of the electronic key (ev) in this electronic key system.Wherein, establish signature information 2304 for the data of electronic key secret information 2302 before binding electronic key public information 2301, the encryption and value authentication information 2303 being carried out the result of hash operations.Signature information 2304 is used for when the electronic key authentication processing, and at locking device 2003 side clear crytpographic keys, by contrasting with the result who carries out hash operations again, electronic key (ev) is not distorted or forged in checking.

Below, the gauge tap 2115 of user's operable lock device 2003 is described, with the wallet application program from the center 2002 steps that download to portable phone 2001.Figure 27 represents the download step of wallet application program.At first, the gauge tap 2115 of user's operable lock device 2003, download the initial setting operation (2700) of wallet application program, can be if the user carries out portable phone 2001 from the operation (2701) of locking device 2003 reception message, then portable phone 2001 receives navigation message (2702) from locking device 2003.Comprise wallet application program URL and lock ID in the navigation message.

The portable phone 2001 that receives navigation message shows whether inquiring user downloads the picture (2703) of wallet application program, if the operation (2704) that the user downloads the wallet application program, then portable phone 2001 sends wallet application program download request (2705) to the center shown in the wallet application program URL 2002.In wallet application program download request, comprise lock ID.

The center 2002 that receives wallet application program download request is suitable for the wallet application program (2707) of locking device 2003 according to locking the kind (2706) that ID comes the particular lock device to portable phone 2001 distribution.The portable phone 2001 that receives the wallet application program shows wallet application storage (2708) in storer download and finishes (2709), finishes the download of wallet application program.

Below, illustrate from the step of locking device 2003 to portable phone 2001 distribution electronic keys (ev).Figure 28 represents from the step of locking device 2003 to portable phone 2001 distribution electronic keys (ev).At first, if the user starts the wallet application program (2800) of portable phone 2001, display menu picture (2801) then, select to carry out the operation (2802) that the user asks to issue the electronic key of locking device by menu, show the value password that the input user sets corresponding to lock number, electronic key (ev) (VPW:＜U〉v＜/U alue＜U p＜/U ass＜U w＜/U ord) picture (2803)

If the lock number (LN ') that the user imports locking device 2003 be worth password (VPW) (2804), then portable phone 2001 will be worth the comparable data of hash operations Hash (VPW) the conduct as a result value password of password (VPW), be stored in the storer of portable phone 2001 (2805), and according to lock number (LN ') and (T) constantly, generate customer identification information UID=Hash (LN ' || T) (※ || expression data link) and be stored in (2806) in the storer.At this moment, comparable data Hash (VPW) and customer identification information UID=Hash (LN ' || T) in the tabulation of the electronic key on the storer of portable phone 2,001 2204, as the data that relate to new electronic key, be stored in respectively in the field of comparable data and customer identification information.

If the gauge tap 2115 of user's operable lock device 2003 makes locking device 2003 become the pattern (2807) of distribution electronic key, then locking device 2003 generates random number R 0 (2808), to portable phone 2001 distribution electronic key distribution inquiries (2809).Electronic key distribution inquiry is the apply for information to portable phone 2001, wherein comprises random number R 0.This random number R 0 obtains from security module 2100, is actually that the CPU2101 of security module 2100 generates.

The inquiry portable phone 2001 that receives the electronic key distribution is according to being worth password (VPW) and customer identification information (UID), generating value authentication information F (VPW)=Hash (UID), and binding lock number (LN ') and random number R 0, calculating as the Hash of its hash data (LN ' || R0) (2810), will comprise Hash (LN ' || R0) send to locking device 2003 (2811) with the electronic key distribution request that is worth authentication information F (VPW).

The locking device 2003 that receives electronic key distribution request with the Hash that receives (LN ' || R0) send to security module 2100, in security module 2100, carry out the generation of electronic key (ev) and handle with being worth authentication information F (VPW).Security module 2100 links lock numbers (LN) and random number R 0, calculates its Hash (LN||R0), and with the Hash that receives (LN ' || R0) contrast, authenticated is to know the proper owner (2812) of the locking device 2003 of lock number (LN).

Under the situation of authenticated (Hash (LN ' || R0) consistent with Hash (LN||R0)), security module 2100 hash operations are worth authentication information F (VPW), and link with master key Km, also carry out hash operations, the decruption key Kt=Hash of the common key cipher mode of generating solution cipher telegram sub-key (ev) (Km||Hash (F (VPW))) (2813).Security module 2100 also generates the electronic key public information and the electronic key secret information of electronic key (ev), and use the value authentication information F (VPW) and encryption key Kk receive, generation has the electronic key (ev) of data structure shown in Figure 23, with the key ID login of the electronic key (ev) that generates in key ID tabulation 2605 (2814).When generating electronic key (ev), security module 2100 distributes unique key ID to electronic key (ev).

Under the situation of unauthenticated user (Hash (LN ' || R0) inconsistent with Hash (LN||R0)), security module 2100 returns mistake to locking device 2003, and send error message from locking device 2003 to portable phone 2001, (not record among the figure) handled in the distribution that stops electronic key.

The electronic key (ev) that generates is sent to portable phone 2001 (2815), and electronic key (ev) is stored in the storer of portable phone (2816), and portable phone 2001 shows that distribution finishes dealing with (2817), finishes the distribution of electronic key and handles.At this moment, electronic key (ev) is as new electronic key, is stored in the electronic key tabulation 2204 on the storer of portable phone 2001.In addition, attribute is set default property, in default setting, the sound that uses when setting the electronic key authentication processing.

In addition, in the step (2804) of Figure 28, user's decision operation has precedence over the security of electronic key authentication processing, under the situation of stated value password not, portable phone 2001 is not worth the hash operations of password (VPW) in step (2805), expression is set empty to the comparable data field of electronic key tabulation 2204, and stated value password (VPW) not, in step (2810), hash operations customer identification information (UID), generating value authentication information F (VPW)=Hash (UID).

If stop the wallet application program,, delete lock number, the value password (VPW) of user's input in 2001 the storer and be worth authentication information F (VPW) then from portable electricity.The comparable data that keeps in the storer of portable phone is the data after hash operations is worth password, even the hypothesis third party steals portable phone, and analyzes the content of inner storer, also needn't worry to know the value password.

Below, illustrate and use electronic key (ev), and locking device 2003 between carry out authentication processing, open the step of (or closing) locking device 2003.Figure 29 represents to use in this example the step of the authentication processing of electronic key (ev).At first, if the user carries out the operation (2900) of startup locking devices 2003 such as the hand steered door handle that locking device 2003 has been installed, then the start sensor 2112 of locking device 2003 detects, and starts locking device 2003, locking device 2003 generates random number R, as inquiry message (2901).This random number R obtains from security module 2100, is actually that the CPU2101 of security module 2100 generates.In case the user carries out receiving from locking device 2003 operation (2902) of message, then portable phone 2001 receives electronic key prompting request (2903) from locking device 2003.In electronic key prompting request, comprise lock ID and random number R.

The portable phone 2001 that receives electronic key prompting request starts the wallet application program, shows whether inquiring user uses the dialog box (2904) of electronic key.At this moment, lock ID that portable phone 2001 contrasts receive and electronic key tabulation 2205 are to the electronic key of user prompt locking device 2003.Under the situation of electronic key that is not correspondence, show it is not corresponding electronic key (figure is record) to the user.

Use operation (2905) if the user carries out electronic key, then show the picture (2906) of input corresponding to the value password of electronic key.If user's value of import password (VPW ') (2907), then portable phone 2001 calculates the hash data Hash that is worth passwords (VPW ') (VPW '), and contrast authenticated (2908) with the Hash (VPW) of comparable data of corresponding electronic key in the electronic key tabulation 2204.With the inconsistent situation of comparable data under, show wrong (not record among the figure), under the situation consistent with comparable data, the value password of portable phone 2001 use user inputs (VPW '), the authentication information of calculating value respectively F (VPW ')=Hash (VPW ' || UID), and be worth the hash data Hash (F (VPW ') of authentication information F (VPW ') and the binding of random number R || R), the hash data Hash of value authentication information (F (VPW ')) (2509), with Hash (F (VPW ') || R) and Hash (F (VPW ')) send with electronic key (ev), as message (2910) to locking device 2003 prompting electronic keys.At this moment, do not send the part of the demonstration of electronic key (ev) with information 2305.

After locking device 2003 is at first verified the validity (lock ID and the checking of valid period) of content of electronic key public information 2301 of the electronic key (ev) that receives, with the electronic bill (ev) that receives, Hash (F (VPW ') || R) and Hash (F (VPW ')) send to security module 2100, in security module 2100, carry out electronic key (ev) and user's offline authentication.In the checking (lock ID and the checking of valid period) of the content validity of electronic key public information 2301, detecting under the wrong situation, send error message from locking device 2003 to portable phone 2001, stop the authentication processing (not record among the figure) of electronic key.

Security module 2100 at first contrasts key ID and the key ID tabulation 2605 in the electronic key public information 2301 of electronic key (ev), and checking electronic key (ev) is the effective electron key (2911) of login in key ID tabulation 2605.Under the situation of electronic key (ev) login in key ID tabulation 2605, security module 2100 calculates the hash data Hash that is worth authentication informations (F (VPW ')) with the binding hash data of master key Km, decruption key the Kk '=Hash of the common key cipher mode of the part of the security information 2300 of generating solution cipher telegram sub-key (Km||Hash (F (VPW '))), and the security information 2300 (2912) of using coprocessor 2105 to decipher electronic key.

Security module 2100 takes out from the security information 2300 after the deciphering and is worth authentication information 2303F (VPW), and the hash data Hash of the binding of calculating and random number R (F (VPW) || R), with the Hash that receives from portable phone 2001 (F (VPW ') || R) contrast, under the situation of unanimity, authenticated is the proper owner (2913) of electronic key.And, security module 2100 calculates to the electronic key public information 2301 that links electronic key (ev), with the electronic key secret information 2302 of clear crytpographic key and be worth the hash data of the data of authentication information 2303, and contrast with signature information 2304, (2914) are not distorted or forged to checking electronic key (ev).

Under with the situation of electronic key (ev) login in key ID tabulation 2605, or Hash (F (VPW) || R) with Hash (F (VPW ') || R) under the inconsistent situation, or in signature Information Authentication (2913), detect under the wrong situation, security module 2100 returns mistake to locking device 2003, and send error messages to portable phone 2001 from locking device 2003, stop electronic key authentication processing (record among the figure).

In signature Information Authentication (2914), do not detect under the wrong situation, promptly verified under the situation of validity of electronic key (ev), security module 2100 is finished to locking device 2003 demonstration offline authentication, locking device 2003 sends authentication result (2915) to portable phone 2001, finish authentication processing, the portable phone 2001 that receives authentication result shows finishes (2917), finishes the authentication processing of electronic key.

In addition, control part 2106 portions of control lock mechanism 2107 of locking device 2003 open the locking of (or closing) locking device 2103, and finish the electronic key authentication processing (2916) of locking device 2103.

If portable phone 2001 is finished the electronic key authentication processing, then according to the attribute of the electronic key that uses, the demonstration authentication processing is finished.In addition, portable phone 2001 too according to the attribute of the electronic key that uses, shows the authentication processing failure of electronic key when stopping the electronic key authentication processing after locking device 2003 sends error message.

In addition, use in the operation (2905) at electronic key, select to use the user under the situation of the electronic key of stated value password not, do not carry out step (2906), the step (2907) of Figure 29, the processing of step (2908), portable phone 2001 advances to the processing of step (2909), hash operations customer identification information (UID), calculating value authentication information (F (VPW '))=Hash (UID).

In addition, under the situation of the authentication processing of this electronic key, if also stop the wallet application program, then from storer the value password of deletion user input be worth authentication information.In the data that between portable phone 2001 and locking device 2003, exchange, the data that are used for authentication processing all are to have carried out hash operations or ciphered data, therefore, eavesdrop communicating by letter between portable phone 2001 and the locking device 2003 even suppose the third party, also can't use the data that intercept to pretend to be.

Has the effect that the portable terminal device that can utilize no anti-tamper function carries out safety certification processing etc. according to electronic values authentication mode of the present invention and Verification System and device, and be used for following service etc., electronic values behind electronic information credit card or access, membership card, ID card, bill etc. is stored in user's portable terminal device, by authenticated is their the proper owner, provides corresponding respectively thing or service to the user.

Claims (9)

1, a kind of authentication mode is characterized in that:

In following authentication processing, be that user-side device keeps electronic values, described electronic values has comprised first of encrypted state and has been worth authentication information, first is worth authentication information has implemented first irreversible operation processing to the appointed authentication information of electronic values, to the user is in the processing that authenticates of the proper holder of described electronic values

After generating random number, authentication side device sends to user-side device, user-side device is implemented first irreversible operation to the input authentication information of the electronic values that the user is imported and is handled, generate second and be worth authentication information, and described second data that are worth authentication information and the combination of described random number are implemented second irreversible operation handle, generate second authentication information, described electronic values and described second authentication information are sent to authentication side device, the password of the electronic values that described authentication side device deciphering receives, from electronic values, take out first and be worth authentication information, described first data that are worth authentication information and the combination of described random number are implemented second irreversible operation to be handled, generate first authentication information, verify that described second authentication information that receives is consistent with first authentication information of described generation, come authenticated.

2, authentication mode according to claim 1 is characterized in that:

In following authentication processing, be to implement first decruption key that first data after the 3rd irreversible operation is handled and master key are generated promptly by being worth authentication information to first at the decruption key of the encryption section of described electronic values, authenticated is in proper holder's the processing of described electronic values, user-side device also is worth authentication information to described second and implements the 3rd irreversible operation processing, generate second data, with described electronic values and described second authentication information described second data are sent to authentication side device, authentication side device generates second decruption key according to second data and the master key that receive, deciphers the password of the electronic values that receives with described second decruption key.

3, a kind of user-side device to authentication side device request authentification of user, is characterized in that:

Possess:

The electronic values obtaining section obtains electronic values, has comprised the first value authentication information of appointed authentication information having been implemented first irreversible operation processing with encrypted state in the described electronic values,

Be worth the authentication information generating unit, the input authentication information of the described electronic values of user's input implemented first irreversible operation handle, generate second and be worth authentication information,

The authentication information generating unit is worth authentication information to described second and implements second irreversible operation processing with the data of the random number combination that receives from authentication side device, generates second authentication information,

Sending part sends to authentication side device with the described electronic values and second authentication information.

4, user-side device according to claim 3 is characterized in that:

The decruption key of the encryption section of described electronic values is to implement first decruption key that first data after the 3rd irreversible operation is handled and master key are generated by being worth authentication information to first,

Described user-side device also possesses:

The second data generating unit is worth authentication information to described second and implements the 3rd irreversible operation processing, generates second data,

Described sending part together sends to authentication side device with second data and described electronic values, described second authentication information.

5, a kind of authentication side device carries out the user's of user-side device authentification of user, it is characterized in that possessing:

The random number sending part sends to described user-side device after the generation random number,

Acceptance division, receive the electronic values and second authentication information from described user-side device, described electronic values includes with the state of encrypting has implemented the first value authentication information that first irreversible operation is handled to appointed authentication information, described second authentication information applies first irreversible operation by the input authentication information to described user input and handles second being worth the combined data of authentication information and described random number and implementing second irreversible operation and handle generation of generating

Be worth the authentication information leading-out portion, the password of the encryption section of the described electronic values that deciphering receives takes out first and is worth authentication information from electronic values,

The first authentication information generating unit is implemented second irreversible operation to the data after described first value authentication information and the combination of described random number, generates first authentication information,

Proof department, described second authentication information that checking receives is consistent with described first authentication information of generation, authenticated.

6, authentication side device according to claim 5 is characterized in that:

Also possesses the decruption key generating unit, the decruption key of the encryption section of described electronic values is to have implemented first decruption key that first data after the 3rd irreversible operation is handled and master key are generated by being worth authentication information to first, described acceptance division also receives from described user-side device and is worth second data that authentication information has been implemented the 3rd irreversible operation processing generation to second, by described second data and the master key that receive, generate second decruption key, described value authentication information leading-out portion is deciphered the password of the electronic values that receives with described second decruption key that generates.

7, a kind of electronic values distribution device receives the electronic values distribution request message of request distribution electronic values and to described user-side device distribution electronic values, it is characterized in that possessing from user-side device:

Acceptance division, reception comprise the electronic values distribution request message to the appointed authentication information of the electronic values of user's appointment of user-side device,

Be worth the authentication information generating unit, the appointed authentication information of the described electronic values that receives implemented first irreversible operation handle, the generating value authentication information,

The encryption key generating unit, according to the data and master key generation encryption key the described value authentication information that generates implemented after second irreversible operation is handled,

The electronic values generating unit, the encryption key that use to generate, generate the encryption that comprises described value authentication information the electronic values of information,

Sending part sends to described user-side device with the electronic values that generates.

8, a kind of electronic values distribution device receives the electronic values distribution request message of request distribution electronic values and to described user-side device distribution electronic values, it is characterized in that possessing from user-side device:

Acceptance division, reception comprise the electronic values distribution request message that the appointed authentication information of the electronic values of user's appointment of user-side device is applied the value authentication information of first irreversible operation processing,

The encryption key generating unit, according to the data and master key generation encryption key the described value authentication information that generates implemented after second irreversible operation is handled,

The electronic values generating unit, the described encryption key that use to generate generates the electronic values of the information that has comprised described value encrypted authentication information,

Sending part sends to described user-side device with the electronic values that generates.

9, a kind of locking device receives the electronic key distribution request message of request distribution electronic key information and described user-side device is issued electronic key information from user-side device, it is characterized in that: have

Electronic key distribution request acceptance division receives and comprises the electronic key distribution request message that first after the appointed authentication information of the electronic key information of user's appointment of user-side device implemented first irreversible operation and handle is worth authentication information,

The encryption key generating unit, according to described first data and the master key generation encryption key that is worth after authentication information has been implemented the 3rd irreversible operation processing to receiving,

The electronic key generating unit is used the electronic key of described generation, generate comprise with described first be worth encrypted authentication information the electronic key information of information,

Sending part sends to described user-side device with the electronic key information that generates,

The random number sending part when the authentication of electronic key information, sends to described user-side device after the generation random number,

Acceptance division, receive second authentication information, be worth second data and the electronic key that authentication information is implemented the 3rd irreversible operation processing generation from described user-side device second, described second authentication information is handled second being worth authentication information and the combined data of random number and implementing second irreversible operation and handle and generate of being generated by the input authentication information that the user imported of described user-side device being implemented first irreversible operation

The decruption key generating unit, according to second data and master key generating solution decryption key,

Be worth the authentication information leading-out portion, use the decruption key of described generation, the password of the encryption section of the described electronic key information that deciphering receives takes out first and is worth authentication information from electronic key information,

The first authentication information generating unit is implemented second irreversible operation to the combined data of described first hand value authentication information and described random number and is handled, and generates first authentication information,

Proof department, described second authentication information that checking receives is consistent with described first authentication information of generation, authentication electronic key information,

Latch mechanism portion, the switching of locking under by the authentic situation of described proof department in electronic key information.

Images